System hardening through configuration management

IT Impact Zone
IT Impact Zone


This is a top level control.

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a Configuration Management program., CC ID: 00867
  • Identify and document the system's Configurable Items., CC ID: 02133
  • Establish, implement, and maintain a system hardening standard., CC ID: 00876
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001
  • Configure initial system hardening according to the secure configuration baseline., CC ID: 13824
  • Lock configurations to prevent circumventing security measures., CC ID: 12187
  • Establish, implement, and maintain a Configuration Baseline Documentation Record., CC ID: 02130
  • Protect master copies of Configurable Items using secure methods or mechanisms., CC ID: 02131
  • Audit the configuration of organizational assets, as necessary., CC ID: 13653


  • External auditors should review the system specifications to confirm the proper development of the system to perform the intended accounting procedures. (Practice Standard § III.4(2)[2].C.a, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The goals of Configuration Management are to: • account for all the IT assets and configurations within the organization and its services • provide accurate information on configurations and their documentation to support all the other Service Management processes • provide a sound basis fo… (§ 7.1, § 7.2, OGC ITIL: Service Support)
  • The organization should ensure all client devices, including laptops, PCs, and PEDs, are in compliance with all security policies, configuration policies, and the operating system benchmark. (§ 2.2 (2.2.190), The Center for Internet Security Wireless Networking Benchmark, 1)
  • Network and system environments that are properly configured will minimize the amount of information would-be attackers are provided and will present a less attractive target for most attackers. (§ 8.2.1 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Configurable controls manage and control processing transactions through a process. The controls are often overlooked during process audits. Not considering these may result in an ineffective audit procedure or inaccurate audit results. Evaluating these controls should not be completed as a standalo… (App A.8, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • Security officers should be familiar with the common operating system processes and which ones are running on each system. By being able to recognize the ordinary processes, unusual processes will be easier to spot. (Action 1.8.7, SANS Computer Security Incident Handling, Version 2.3.1)
  • The objective of configuration management is to define and control the components of the service and infrastructure and maintain accurate configuration information. (§ 9.1, ISO 20000-2 Information technology - Service Management Part 2, 2005)
  • CMS business partners are not required to make verbatim use of all security configuration guides and checklists for configuring Medicare systems. CMS business partners shall establish and maintain an active configuration management program. CMS business partners shall include their "as designed/buil… (§ 3.10.1 ¶ 2, CMS Business Partners Systems Security Manual, Rev. 10)
  • Each agency must develop, document, and implement an information security program agency wide that includes policies and procedures that ensure compliance with the minimally acceptable system configuration requirements and other applicable requirements. (§ 3544(b)(2)(D)(iii), Federal Information Security Management Act of 2002, Deprecated)
  • The System Administrator should regularly check the Unisys website for any new security patches or updates. If a product is installed on the system, and is either disabled or not used, security patches for this product should still be installed. (§ 2.5, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006)
  • System administrators and Information Assurance Officers should regularly check the operating system vendors sites for applicable security patches. Patches are applicable if the product is installed on the system, even if it is not used. Patches should be installed to remove any known vulnerabilitie… (§, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • § 2.2 (WIR1250) Implement wireless e-mail servers and handheld configuration settings. App B.2 Row "Enable Firewall", located in Policy Manager/Firewall Settings, should be set to Enable with a mark in the check box. App B.2 Row "Restrict Wireless", located in Policy Manager/Resource Settings, shou… (§ 2.2 (WIR1250), App B.2 Row "Enable Firewall", App B.2 Row "Restrict Wireless", App B.2 Row "Restrict SMS", DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • Interview management and review the response to pre-examination information requests to identify changes to the technology infrastructure or new products and services that might increase the institution's risk. Consider: ▪ Products or services delivered to either internal or external users, ▪ Ne… (Exam Obj 1.3, FFIEC IT Examination Handbook - Management)
  • Interview management and review the operations information request to identify: ▪ Any significant changes in business strategy or activities that could affect the operations environment; ▪ Any material changes in the audit program, scope, or schedule related to operations; ▪ Changes to interna… (Exam Tier I Obj 1.3, FFIEC IT Examination Handbook - Operations, July 2004)
  • Mandatory configuration settings must be established by the organization for all products used by the system. The settings must be configured to the most restrictive possible. (§ 5.6.5, Exhibit 4 CM-6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Application security and operating systems configuration standards should be developed or enhanced for all WLAN equipment, including laptops and authentication servers, to account for the additional risks in wireless environments. (Table 8-1 Item 4, Table 8-1 Item 5, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • Configuration management is mentioned, but only as a control to ensure system security. (§ 3.9, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • If possible, the organization should use centralized security management to ensure all handheld devices are in compliance with the organization's mobile device security policy. This system should periodically ensure through communications with handheld devices that they are in compliance with polici… (§ 4.1.9, § 4.2.5, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • Perform Configuration Management and Control: Configuration management and control procedures are critical to establishing an initial baseline of hardware, software, and firmware components for the information system and subsequently for controlling and maintaining an accurate inventory of any chang… (§, Security Considerations in the Information System Development Life Cycle, NIST SP 800-64, Revision 2)
  • Reference system random number generator. Solaris 9 ships with random number generators. For applications needing random numbers, these are preferrable to generators which are not native to the operating system. (§ 1.4, NSA Guide to the Secure Configuration of Solaris 9, Version 1.0)