Back

Create a hardened image of the baseline configuration to be used for building new systems.


CONTROL ID
07063
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Configuration Baseline Documentation Record., CC ID: 02130

This Control has the following implementation support Control(s):
  • Store master images on securely configured servers., CC ID: 12089
  • Test systems to ensure they conform to configuration baselines., CC ID: 13062
  • Update the security configuration of hardened images, as necessary., CC ID: 12088


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The FI should establish policies and standards to manage virtual images and snapshots. The standards should include details that govern the security, creation, distribution, storage, use, retirement and destruction of virtual images and snapshots so as to protect these assets against unauthorised ac… (§ 11.4.3, Technology Risk Management Guidelines, January 2021)
  • Are virtual images hardened before being enabled? (Appendix D, Build and Maintain a Secure Network Bullet 7 Sub-bullet 3, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise. Any existing system that becomes compromised should be re-imaged with the secure build. Regular updates or exceptions to this image should be integrated into the… (Control 3.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should build a secure image of workstations and servers to be used for building all new systems. (Critical Control 3.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Maintains standard images of the entity's servers and stores them securely. Uses clean (i.e., trusted) images to restore the server if a server needs to be rebuilt and documents, reviews, and approves deviations from the standard image. (App A Objective 13:3g, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration. (CM-2(6) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration. (CM-2(6) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization should maintain a separate baseline configuration for the development and test environment and the operational environment. (SG.CM-2 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration. (CM-2(6), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration. (CM-2(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration. (CM-2(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration. (CM-2(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration. (CM-2(6) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)