Back

Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities.


CONTROL ID
02132
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Configuration Management program., CC ID: 00867

This Control has the following implementation support Control(s):
  • Document external connections for all systems., CC ID: 06415


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The CMDB is likely to be based upon database technology that provides flexible and powerful interrogation facilities. A few examples of its potential use are to list: • Release contents, including component CIs and their version numbers • component CIs and their version numbers in the test and… (§ 7.3.7, OGC ITIL: Service Support)
  • Details about Information Systems that support or enable critical infrastructure should be recorded in an inventory (e.g., a Configuration Management Database or equivalent). (CF.08.03.04, The Standard of Good Practice for Information Security)
  • Details about Information Systems that support or enable critical infrastructure should be recorded in an inventory (e.g., a Configuration Management Database or equivalent). (CF.08.03.04, The Standard of Good Practice for Information Security, 2013)
  • The organization shall maintain configuration information with an appropriate level of security and integrity. (§ 6.3.5.3(b)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The Configuration Management Database shall be reliable and accurate. (§ 9.1 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Where required, configuration information should be accessible for users, customers, suppliers and partners to assist them in their planning and decision making. For example, an external organization may make configuration information accessible to the customer and other parties to support the other… (§ 9.1.4, ISO 20000-2 Information technology - Service Management Part 2, 2005)
  • For software systems assigned to Class A, Class B, and Class C software safety classes, the medical device manufacturer shall document the software system configuration, including all configuration items and their versions. (§ 8.1.3, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • The Information Assurance Officer, for medical device VLAN, security zones and/or screened subnet architectures, will update the accreditation documentation. (§ 3.2.4 (MED0080: CAT III), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
  • Collects data to build metrics and reporting of configuration management compliance, and vulnerability management. (App A Objective 6.28.f, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Is the router configuration reviewed on a regular basis? (IT - Routers Q 8, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the router configuration reviewed on a regular basis? (IT - Routers Q 21, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The organization should develop, document, and maintain an accurate inventory of the system configuration. (SG.CM-8 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization establishes and documents configuration settings for information technology products employed within the information system using {organizationally documented security configuration checklists} that reflect the most restrictive mode consistent with operational requirements. (CM-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization establishes and documents configuration settings for information technology products employed within the information system using {organizationally documented security configuration checklists} that reflect the most restrictive mode consistent with operational requirements. (CM-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization establishes and documents configuration settings for information technology products employed within the information system using {organizationally documented security configuration checklists} that reflect the most restrictive mode consistent with operational requirements. (CM-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization establishes and documents configuration settings for information technology products employed within the information system using {organizationally documented security configuration checklists} that reflect the most restrictive mode consistent with operational requirements. (CM-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)