Establish, implement, and maintain a Configuration Management program.
CONTROL ID 00867
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
System hardening through configuration management, CC ID: 00860
This Control has the following implementation support Control(s):
Establish, implement, and maintain configuration control and Configuration Status Accounting., CC ID: 00863
Establish, implement, and maintain a configuration management policy., CC ID: 14023
Establish, implement, and maintain a configuration management plan., CC ID: 01901
Establish, implement, and maintain system tracking documentation., CC ID: 15266
Employ the Configuration Management program., CC ID: 11904
Record Configuration Management items in the Configuration Management database., CC ID: 00861
Test network access controls for proper Configuration Management settings., CC ID: 01281
Disseminate and communicate the configuration management program to all interested personnel and affected parties., CC ID: 11946
Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities., CC ID: 02132
Establish, implement, and maintain a configuration baseline based on the least functionality principle., CC ID: 00862
Include backup procedures in the Configuration Management policy., CC ID: 01314
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
App 2-1 Item Number IV.9(1): The organization must ensure the management of software, hardware, and the network is clearly defined to prevent the hardware, software, and network from being overseen by both the organization and the vendor or not being overseen by either party. This is a control item … (App 2-1 Item Number IV.9(1), App 2-1 Item Number IV.9(2), App 2-1 Item Number IV.9(4), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
O31: The organization shall implement configuration management for network devices to protect them against tampering.
O66: The organization shall perform hardware and software configuration and version management. (O31, O66, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
The other relevant controls include service level management, vendor management, capacity management and configuration management which are described in later chapters. Decommissioning and destruction controls need to be used to ensure that information security is not compromised as IT assets reach … (Critical components of information security 6) (iv), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Ongoing support and maintenance controls would be needed to ensure that IT assets continue to meet business objectives. Major controls in this regard include change management controls to ensure that the business objectives continue to be met following change; configuration management controls to en… (Critical components of information security 6) (iii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Configuration management is the process of maintaining key information (e.g. model, version, specifications, etc.) about the configuration of the hardware and software that makes up each IT system. The FI should implement a configuration management process to maintain accurate information of its har… (§ 7.2.1, Technology Risk Management Guidelines, January 2021)
The organization should implement Configuration Management controls to define, register, assess, and maintain the configuration and ensure vulnerabilities are minimized. (¶ 54 (b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
configuration management controls to ensure that the configuration minimises vulnerabilities and is defined, assessed, registered and maintained; (¶ 54(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
The network configuration should be under the control of a central network management authority. (§ 3.10.5, Australian Government ICT Security Manual (ACSI 33))
In case of IT services, configuration has been conceived, implemented and documented based on the necessary security requirements. (1.2.4 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
configuration management. This is a particularly important measure, as for example, in the context of cloud, misconfiguration of cloud services can be a major cause of data breaches; (§ 7.11 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
(§ 3.3.1, OGC ITIL: Security Management)
The entity has established policies and procedures and technical specifications and requirements for the configuration and credentialing of users and systems prior to granting logical access to information and data about internally and externally managed infrastructure-based platforms, devices and s… (S7.1 Manages credentials for infrastructure and software, Privacy Management Framework, Updated March 1, 2020)
Does the organization use enterprise level desktop Configuration Management? (Table Row VI.13, OECD / World Bank Technology Risk Checklist, Version 7.3)
The organization should establish configuration management procedures, including patch management and configuration control. (§ 2.2 (2.2.010), The Center for Internet Security Wireless Networking Benchmark, 1)
Establish configuration procedures to support management and logging of all changes to the configuration repository. Integrate these procedures with change management, incident management and problem management procedures. (DS9.2 Identification and Maintenance of Configuration Items, CobiT, Version 4.1)
Examine the organization's system configuration standards for all types of system components. (§ 2.2.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
Verify that system configuration standards are applied when new systems are configured. (§ 2.2.c, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
Examine the organization's system configuration standards for all types of system components. (§ 2.2.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Verify that system configuration standards are applied when new systems are configured. (§ 2.2.c Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Configuration standards that address all known security vulnerabilities and are consistent with industry system hardening standards must be developed for all system components. (PCI DSS Requirements § 2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. (2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. (2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. (2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to:
- Cente… (2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. (2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. (2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Are security policies and operational procedures for managing vendor defaults and other security parameters:
- Documented
- In use
- Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
Are security policies and operational procedures for managing vendor defaults and other security parameters:
- Documented
- In use
- Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
Are security policies and operational procedures for managing vendor defaults and other security parameters:
- Documented
- In use
- Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are security policies and operational procedures for managing vendor defaults and other security parameters:
- Documented
- In use
- Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are security policies and operational procedures for managing vendor defaults and other security parameters:
- Documented
- In use
- Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are security policies and operational procedures for managing vendor defaults and other security parameters:
- Documented
- In use
- Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Verify that system configuration standards include the following procedures for all types of system components:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts
- Implementing only one primary function per server to prevent functions that require different s… (2.2.d, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Examine policies and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before a system is installed on the network. (2.2.c, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Examine documentation and interview personnel to verify that security policies and operational procedures for managing vendor defaults and other security parameters are:
- Documented,
- In use, and
- Known to all affected parties. (2.5, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Are configuration standards developed for all system components and are they consistent with industry-accepted system hardening standards? (PCI DSS Question 2.2(a), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
Are configuration standards developed for all system components and are they consistent with industry-accepted system hardening standards? (PCI DSS Question 2.2(a), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Are configuration standards developed for all system components and are they consistent with industry-accepted system hardening standards? (PCI DSS Question 2.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Are configuration standards developed for all system components and are they consistent with industry-accepted system hardening standards? (PCI DSS Question 2.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise. Any existing system that becomes compromised should be re-imaged with the secure build. Regular updates or exceptions to this image should be integrated into the… (Control 3.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
The organization should follow strict Configuration Management practices. (Critical Control 3.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
The organization must scan all registered mobile devices and personnel devices and the devices must follow the Configuration Management policy and the host hardening policy. (Critical Control 7.15, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes oc… (CIS Control 4: Safeguard 4.1 Establish and Maintain a Secure Configuration Process, CIS Controls, V8)
Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. (CIS Control 4: Safeguard 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure, CIS Controls, V8)
¶ 8.1.5(1) Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards… (¶ 8.1.5(1), ¶ 10.3.9, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
The organization shall define a Configuration Management strategy. (§ 6.3.5.3(a)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
A configuration management plan should be developed. The plan should describe each automated tool and how it is used. The configuration management system should automatically ensure only authorized changes are made to the product. (§ 13.1, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
The CIs affected by new or changed services shall be managed through configuration management. (§ 8.5.2.1 ¶ 4, ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. (§ 8.2.6 ¶ 3, ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
Configuration change management and vulnerability assessments (CIP- 010); (B. R1. 1.1 1.1.7., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
Is there a process used to manage the controls on a life cycle basis? (§ L.3, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
As part of the configuration management program, CMS business partners are highly encouraged to use the documents listed in Appendix C to develop configuration standards, templates, and processes to securely configure Medicare systems. (§ 3.10.1, CMS Business Partners Systems Security Manual, Rev. 10)
Each agency must develop, document, and implement an information security program agency wide that includes policies and procedures that ensure compliance with the minimally acceptable system configuration requirements and other applicable requirements. (§ 3544(b)(2)(D)(iii), Federal Information Security Management Act of 2002, Deprecated)
The Information Assurance Officer should ensure configuration policies are enforced to ensure untested software is not loaded onto production systems. (§ 13, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006)
All sites should have a policy in place to implement the security configurations on the system. Windows has Microsoft Security Configuration tools built into the operating system that can be used to ensure security configurations are enabled. (§ 3.12, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
A policy should be in effect to implement security configurations on the system. (§ 3.1 (1.016), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
A process should exist to implement system security configurations. Security configuration tools should be used to implement security compliance on the system. (§ 3.12, DISA Windows XP Security Checklist, Version 6 Release 1.11)
Ensure procedures exist which address the testing and implementation process for all patches, upgrades in the Configuration Management Plan. (DCCT-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
The organization must implement procedures for maintaining a configuration management plan. The configuration management plan must document the configuration of the system and the system connectivity. (§ 8-311, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
Ensures that systems and software used to support entity operations have appropriate configuration management capabilities, including configuration of audit log settings, and enforces configuration management. (App A Objective 15:2b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Evaluate whether management has policies, standards, and procedures for configuration management and defines and implements appropriate configuration settings. In addition, verify whether management does the following: (App A Objective 15:2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Safeguards systems against security threats and employs IAM, configuration management, and log monitoring. (App A Objective 13:6c Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Determine whether appropriate processes exist for configuration management (managing and controlling configurations of systems, applications, and other technology). (App A Objective 6.12, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Management should have a process to introduce changes to the environment in a controlled manner. Changes to the IT environment include the following:
- Configuration management of IT systems and applications.
- Hardening of systems and applications.
- Use of standard builds.
- Patch management. (II.C.10 Change Management Within the IT Environment, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
The organization should establish configuration management standards. (Pg 9, Pg 51 thru Pg 54, FFIEC IT Examination Handbook - Development and Acquisition)
Review documentation that describes, or discuss with management, the technology systems and operations (enterprise architecture) in place to develop an understanding of how these systems support the institution's business activities. Assess the adequacy of the documentation or management's ability t… (Exam Tier I Obj 2.2, FFIEC IT Examination Handbook - Operations, July 2004)
The organization must develop, document, distribute, and continuously update a configuration management policy that identifies roles, responsibilities, and procedures for the implementation of configuration management security controls. (Exhibit 4 CM-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
Does the Credit Union have written configuration policies and configuration checklists for firewalls, routers, personal computers, servers, etc.? (IT - Networks Q 22, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Do the configuration policies and procedures address enabling and monitoring error logs and system auditing functions? (IT - Networks Q 23, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Do the configuration policies and procedures include removing or disabling unnecessary network services and Operating System services? (IT - Networks Q 25, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Do the configuration policies and procedures include replacing components when necessary? (IT - Networks Q 27, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
The organization shall implement a configuration management system for the cryptographic module, its components, and its documentation. The system shall assign and label each version of each configuration item with a unique identification number. (§ 4.10.1 ¶ 2, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
Configuration Management (CM): Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enf… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
Organizational records and documents should be examined to ensure the configuration management policy and procedures are documented, disseminated, reviewed, and updated and specific responsibilities and actions are defined for the implementation of the configuration management policy and procedures … (CM-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
The organization's configuration control and management program should include handheld devices. The configuration policy should include how to configure the software and hardware for the handheld devices; how to install patches and upgrades; which services and applications can be disabled and/or re… (Pg ES-2, § 4.2.5, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
Analyze organization's cyber defense policies and configurations and evaluate compliance with regulations and organizational directives. (T0010, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Oversee and make recommendations regarding configuration management. (T0156, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Assess all the configuration management (change configuration/release management) processes. (T0344, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
The organization must develop and implement a Configuration Management security policy. (SG.CM-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The Configuration Management security policy must include the objectives, roles, and responsibilities of the Configuration Management program. (SG.CM-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The Configuration Management security policy must include the scope of the Configuration Management program. (SG.CM-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must include flaw remediation in the Configuration Management process. (SG.SI-2 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop, disseminate, review, and update a formal, documented Configuration Management policy that includes purpose, responsibilities, scope, roles, compliance, coordination, and management commitment. (App F § CM-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must incorporate the flaw remediation process into the Configuration Management process. (App F § SI-2.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
Oversee and make recommendations regarding configuration management. (T0156, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Analyze organization's cyber defense policies and configurations and evaluate compliance with regulations and organizational directives. (T0010, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Assess all the configuration management (change configuration/release management) processes. (T0344, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
The organization develops, documents, and disseminates to {organizationally documented personnel} a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (CM-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (CM-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (CM-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (CM-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
