Back

Disseminate and communicate the configuration management program to all interested personnel and affected parties.


CONTROL ID
11946
CONTROL TYPE
Communicate
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Configuration Management program., CC ID: 00867

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • System components which are used for the rendering of the cloud service are hardened according to generally established and accepted industry standards. The hardening instructions used are documented as well as the implementation status. (Section 5.6 RB-22 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The purpose of the service configuration management practice is to ensure that accurate and reliable information about the configuration of services, and the Cls that support them, is available when and where it is needed. This includes information on how Cls are configured and the relationships bet… (5.2.11 ¶ 1, ITIL Foundation, 4 Edition)
  • Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. (2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. (2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. (2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are security policies and operational procedures for managing vendor defaults and other security parameters: - Documented - In use - Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are security policies and operational procedures for managing vendor defaults and other security parameters: - Documented - In use - Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are security policies and operational procedures for managing vendor defaults and other security parameters: - Documented - In use - Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are security policies and operational procedures for managing vendor defaults and other security parameters: - Documented - In use - Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are security policies and operational procedures for managing vendor defaults and other security parameters: - Documented - In use - Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are security policies and operational procedures for managing vendor defaults and other security parameters: - Documented - In use - Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine documentation and interview personnel to verify that security policies and operational procedures for managing vendor defaults and other security parameters are: - Documented, - In use, and - Known to all affected parties. (2.5, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Interview system administrators and/or security managers to verify they have knowledge of common security parameter settings for system components. (2.2.6.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Configuration information shall be made available for other service management activities as appropriate. (§ 8.2.6 ¶ 5, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • In the dynamic registration model of federation, it is possible for relationships between members of the federation to be negotiated at the time of a transaction. This process allows IdPs and RPs to be connected together without manually establishing a connection between them using manual registrati… (5.1.2 ¶ 1, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)