Back

Audit the configuration of organizational assets, as necessary.


CONTROL ID
13653
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • System hardening through configuration management, CC ID: 00860

This Control has the following implementation support Control(s):
  • Audit assets after maintenance was performed., CC ID: 13657


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Periodically auditing the access device configurations and patch levels (Critical components of information security 25) iii.f., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks should ensure that each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need. Organizations should deny access to those wireless devices that do not have such a configuration and… (Critical components of information security 28) iv., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should review and verify the configuration information of its hardware and software on a regular basis to ensure it is accurate and up-to-date. (§ 7.2.2, Technology Risk Management Guidelines, January 2021)
  • Review configuration settings regularly to ensure they correspond to current requirements. (Annex A1: Computer Network Security 34, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Content filters deployed in a CDS are subject to rigorous security assessment to ensure they mitigate content-based threats and cannot be bypassed. (Security Control: 1524; Revision: 1, Australian Government Information Security Manual, March 2021)
  • Application control rulesets are validated on an annual or more frequent basis. (Control: ISM-1582; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Application control rulesets are validated on an annual or more frequent basis. (Control: ISM-1582; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Evidence gathering and verifying technical configurations to confirm effectiveness of security controls. (30.f., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • configuration management controls to ensure that the configuration minimises vulnerabilities and is defined, assessed, registered and maintained; (¶ 54(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defin… (AI3.2 Infrastructure Resource Protection and Availability, CobiT, Version 4.1)
  • Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment. (2.2.1 Bullet 5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine configuration settings and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before or immediately after a system component is connected to a production environment. (2.2.1.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment. (2.2.1 Bullet 5, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment. (2.2.1 Bullet 5, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment. (2.2.1 Bullet 5, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment. (2.2.1 Bullet 5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • CIs shall be controlled. Changes to CIs shall be traceable and auditable to maintain the integrity of the configuration information. The configuration information shall be updated following the deployment of changes to CIs. (§ 8.2.6 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • review of documented information (including computer logs and configuration data); (§ 6.4.7.2 a), ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing, Third Edition)
  • Audits and reviews activities associated with configuration-controlled changes to the information system; and (CM-3f., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Audits and reviews activities associated with configuration-controlled changes to the information system; and (CM-3f., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Audits and reviews activities associated with configuration-controlled changes to the information system; and (CM-3f., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. (M1047 Audit, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • Generally, IT processing is inherently consistent; therefore, the service auditor may be able to limit the testing to one or a few instances of the control operation. An automated control usually functions consistently unless the program, including the tables, files, or other permanent data used by … (¶ 3.138, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Server security configuration parameters may be scanned and analyzed for consistency with policy. (¶ 3.117 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Server security configuration parameters may be scanned and analyzed for consistency with policy. (¶ 3.130 ¶ 1 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Generally, IT processing is inherently consistent; therefore, the service auditor may be able to limit the testing to one or a few instances of a control's operation. An automated control usually functions consistently unless the program, including the tables, files, or other permanent data used by … (¶ 3.153, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Change the default service set identifier (SSID) in the APs. Disable the broadcast SSID feature so that the client SSID must match that of the AP. Validate that the SSID character string does not contain any agency identifiable information (division, department, street, etc.) or services. (§ 5.13.1.1 ¶ 2 8., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Regularly assesses and documents compliance with the entity's baseline configuration. (App A Objective 13:3d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Verifying that configurations prevent containers from unintentionally interacting. (Risk Management Audit and Controls Assessment Bullet 3 Sub-bullet 2 Sub-sub-bullet 2, FFIEC Security in a Cloud Computing Environment)
  • Regular testing of financial institution controls for critical systems. Processes should be in place for regular audit and testing of security controls and configurations commensurate with the risk of the operations supported by the cloud service. These processes can include the audit and testing of… (Risk Management Audit and Controls Assessment Bullet 1, FFIEC Security in a Cloud Computing Environment)
  • Audits and reviews activities associated with configuration-controlled changes to the information system; and (CM-3f. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Audits and reviews activities associated with configuration-controlled changes to the information system; and (CM-3f. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Monitor and review activities associated with configuration-controlled changes to the system; and (CM-3f., FedRAMP Security Controls High Baseline, Version 5)
  • Monitor and review activities associated with configuration-controlled changes to the system; and (CM-3f., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Monitor and review activities associated with configuration-controlled changes to the system; and (CM-3f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Monitor and review activities associated with configuration-controlled changes to the system; and (CM-3f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Monitor and review activities associated with configuration-controlled changes to the system; and (CM-3f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Monitor and review activities associated with configuration-controlled changes to the system; and (CM-3f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Monitor and review activities associated with configuration-controlled changes to the system; and (CM-3f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Audits and reviews activities associated with configuration-controlled changes to the information system; and (CM-3f. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Audits and reviews activities associated with configuration-controlled changes to the information system; and (CM-3f. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The security controls present during system validation testing (e.g., factory acceptance testing and site acceptance testing) are still installed and operating correctly in the production system. (§ 6.2.3 ICS-specific Recommendations and Guidance ¶ 1 Bullet 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Validation of image configuration settings, including vendor recommendations and thirdparty best practices. (4.1.2 ¶ 1 (1), NIST SP 800-190, Application Container Security Guide)
  • Perform Windows registry analysis. (T0397, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Audits and reviews activities associated with configuration-controlled changes to the information system; and (CM-3f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Audits and reviews activities associated with configuration-controlled changes to the information system; and (CM-3f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Audits and reviews activities associated with configuration-controlled changes to the information system; and (CM-3f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Monitor and review activities associated with configuration-controlled changes to the system; and (CM-3f., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Monitor and review activities associated with configuration-controlled changes to the system; and (CM-3f., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Audits and reviews activities associated with configuration-controlled changes to the information system; and (CM-3f., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Audits and reviews activities associated with configuration-controlled changes to the information system; and (CM-3f., TX-RAMP Security Controls Baseline Level 2)