Back

Identify and document the system's Configurable Items.


CONTROL ID
02133
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • System hardening through configuration management, CC ID: 00860

This Control has the following implementation support Control(s):
  • Define the relationships and dependencies between Configurable Items., CC ID: 02134
  • Trace each Configurable Item throughout the systems' life cycle., CC ID: 02135
  • Approve each system's Configurable Items (and changes to those Configurable Items)., CC ID: 04887
  • Request an acknowledgment from the system owner of the system's configuration., CC ID: 10602


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Configuration identification is the selection, identification and labeling of the configuration structures and CIs, including their respective 'owner' and the relationships between them. CIs may be hardware, software or documentation. Examples include services, servers, environments, equipment, netw… (§ 7.3.2, OGC ITIL: Service Support)
  • You should have an accurate picture of the assets which make up the service, along with their configurations and dependencies. (5.1 ¶ 1, Cloud Security Guidance, 1.0)
  • Does the organization keep a profile of general characteristics for each server? (Table Row VII.22, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • After installing new software or software updates, file permissions can become incorrectly set, potentially creating security vulnerabilities. Disk Utility should be run to verify and/or repair disk permissions. It will read the Bill of Materials file from the initial Mac OS X installation and compa… (Pg 30, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • The organization must ensure the security policy contains procedures for identifying threats and vulnerabilities through an annual risk assessment. (§ 12.1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify enabled functions are documented and support secure configuration. (§ 2.2.4.b Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Are enabled functions documented and do they support secure configuration? (PCI DSS Question 2.2.5(b), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Is only documented functionality present on system components? (PCI DSS Question 2.2.5(c), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are enabled functions documented and do they support secure configuration? (PCI DSS Question 2.2.5(b), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Is only documented functionality present on system components? (PCI DSS Question 2.2.5(c), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are enabled functions documented and do they support secure configuration? (PCI DSS Question 2.2.5(b), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Is only documented functionality present on system components? (PCI DSS Question 2.2.5(c), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are enabled functions documented and do they support secure configuration? (PCI DSS Question 2.2.5(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is only documented functionality present on system components? (PCI DSS Question 2.2.5(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are enabled functions documented and do they support secure configuration? (PCI DSS Question 2.2.5(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is only documented functionality present on system components? (PCI DSS Question 2.2.5(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • The organization shall document the network's Configuration Management information. (§ 4.3.2 ¶ 1(c), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall identify the product throughout its lifecycle and establish procedures for identifying products. (§ 7.5.3.1 ¶ 1, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization shall identify configuration control items. (§ 6.3.5.3(a)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • All configuration items that make up the product should be uniquely identified and described in a configuration list. The configuration list should be included in the configuration management document. The configuration item list should contain the following: a list of all the hardware, software, an… (§ 13.2, § 13.3, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • A configuration list should be maintained; uniquely identify each configuration item and version number; include a description of how items are uniquely identified; and identify items according to the configuration management plan. The configuration list should contain at a minimum the implementatio… (§ 11.4.1.4.5 thru § 11.4.1.4.8, § 12.4.1.3.6 thru § 12.4.1.3.9, § 12.4.2, § 13.4.3.2.7 thru § 13.4.3.2.10, § 13.4.3, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • Configuration items that are affected new or changed services shall be controlled by the Configuration Management process. (§ 5.1 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Each Configuration Item type shall have a documented definition. (§ 9.1 ¶ 1, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Each Configuration Item record shall include a description of the Configuration Item. (§ 9.1 ¶ 1(a), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The Configuration Item record shall include the status of the Configuration Item. (§ 9.1 ¶ 1(d), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Each Configuration Item record shall include the version. (§ 9.1 ¶ 1(e), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Each Configuration Item record shall include the location of the Configuration Item. (§ 9.1 ¶ 1(f), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Each Configuration Item record shall include associated change requests. (§ 9.1 ¶ 1(g), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Each Configuration Item record shall include associated problems and known errors. (§ 9.1 ¶ 1(h), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Configuration items shall be recorded in the Configuration Management Database and be uniquely identified. (§ 9.1 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • All configuration items should be uniquely identified and defined by attributes that describe their functional and physical characteristics. Information should be relevant and auditable. Items to be managed should be identified using established selection criteria and should include: a) all issues … (§ 9.1.2, ISO 20000-2 Information technology - Service Management Part 2, 2005)
  • All assets of the organization should be identified. An inventory should be conducted to document the importance of each asset. The asset inventory should include information to help recover from a disaster, such as type of asset, location, format, backup information, license number, and business va… (§ 7.1.1, ISO 27002 Code of practice for information security management, 2005)
  • § 5.1.11: For software systems assigned to Class B and Class C software safety classes, before being verified, the medical device manufacturer shall put configuration items under configuration management control. § 8.1.1: For software systems assigned to Class A, Class B, and Class C software safe… (§ 5.1.11, § 8.1.1, § 8.1.2, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • Configuration information shall be recorded to a level of detail appropriate to the criticality and type of services. Access to configuration information shall be controlled. The configuration information recorded for each CI shall include: (§ 8.2.6 ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The types of CI shall be defined. Services shall be classified as CIs. (§ 8.2.6 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • type of CI; (§ 8.2.6 ¶ 2(b), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • description of the CI; (§ 8.2.6 ¶ 2(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • status. (§ 8.2.6 ¶ 2(e), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Device drivers control peripheral equipment and memory operations and reside in the kernel. If a device driver is compromised, the entire system could be compromised. All device files should be located in the directory they were installed in or located in a directory designated by the operating syst… (§ 3.11, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • A medical device manufacturer shall establish and maintain procedures to identify the product during receipt, production, distribution, and installation. (§ 820.60, 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., FedRAMP Security Controls High Baseline, Version 5)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Determine the access control capability for all information systems containing ePHI. (§ 4.14.2 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Assign system components to a system; and (CM-8(9)(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization should develop and implement a Configuration Management Plan that defines the system configuration items. (SG.CM-11 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should develop and implement a Configuration Management Plan that defines how to uniquely identify the configuration items during the System Development Lifecycle. (SG.CM-11 Requirement 4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization assigns {organizationally documented acquired information system components} to an information system. (CM-8(9)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Assigns [Assignment: organization-defined acquired information system components] to an information system; and (CM-8(9)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Assign system components to a system; and (CM-8(9)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Assign system components to a system; and (CM-8(9)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Assigns [Assignment: organization-defined acquired information system components] to an information system; and (CM-8(9) ¶ 1(a), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., TX-RAMP Security Controls Baseline Level 2)