Protect master copies of Configurable Items using secure methods or mechanisms.

Technical Security


This Control directly supports the implied Control(s):
  • System hardening through configuration management, CC ID: 00860

There are no implementation support Controls.


  • The organization should securely store the configuration information off the server in a way that maintains the integrity. (Control: 0386 Bullet 2, Australian Government Information Security Manual: Controls)
  • A controlled library is a collection of software or document CIs of known type and status. Access to items in a controlled library should be restricted. Software libraries are used for controlling and releasing software throughout the systems development lifecycle, e.g. in development, building, tes… (§ 7.3.8, § 7.3.9, OGC ITIL: Service Support)
  • A master copy of the Configuration Item records in the Configuration Management Database shall be stored in secure physical libraries or electronic libraries that are referenced by the configuration records and shall include documentation, software, license information, and hardware configuration im… (§ 9.1 ¶ 8, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • To protect the integrity of systems, services and the infrastructure, configuration items should be held in a suitable and secure environment which: a) protects them from unauthorized access, change or corruption, e.g. virus; b) provides a means for disaster recovery; c) permits the controlled re… (§ 9.1.3, ISO 20000-2 Information technology - Service Management Part 2, 2005)
  • Backup tapes should be stored at an offsite facility that is not collocated with the facility housing the system being backed up. The tapes should be stored in a fireproof container. The Information Assurance Officer should ensure the security backup tapes are kept either on the computer room floor … (§ 2.2.3, § 3.5.2, § 4.1.2, § 7.1.2, § 7.3, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006)
  • The Backup Administrator account information should be securely stored and be accessible by the Information Assurance Manager in case of an emergency. (§ 3.3, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • The Backup Administrator account and password should be stored in a secure location by the Information Assurance Manager. (§ 3.1 (3.121), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • The Information Assurance Officer should store the Backup Administrator account information in a secure location. (§ 3.3, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • Ensure that a backup copy of the software inventory is stored in a fire-rated container or otherwise not collocated with the original. (DCSW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)