This blog is the second of a 6-part series of blogs.
How many organizations out there know what is on their configuration baselines? What does it look like? How many information system (IS) types are on it? What about their patch level? All those questions are valid. If you cannot readily access the answers to those questions upon request, you may have a configuration management issue.
What is Configuration Management? A system of processes for establishing and maintaining consistency of your (IS) or network.
What is Baseline Configuration? A document, formally reviewed and agreed-upon set of specifications for IS or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to IS. Baseline configurations include information about the IS components, network topology, and logical placement of those components within the system architecture.
Every organization should have a Configuration Management Plan that documents and implements a configuration management plan for the IS. The Plan should:
- Address roles, responsibilities, and configuration management processes and procedures;
- Establish a process for identifying configuration items and for managing the configuration of the configuration items;
- Defines the configuration items for the IS and places the configuration items under configuration management
- Protect the configuration management plan from unauthorized disclosure and modification
- Describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain IS component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents
What if I want/need to alter the Configuration? Do so. However, follow the plan in place. Make changes after you’ve done the following:
- Documented proposed changes
- Reviewed proposed changes to the IS and approve or disapprove changes with sole consideration for security impact analyses
- Document configuration change decisions associated with the IS
After you’ve implemented the change:
- Retain records/documented proposed change of configuration-controlled change for a minimum of one (1) year
- Audit and review activities associated with configuration-controlled changes to the IS
Should your organization need support developing a Configuration Management plan or want an external assessment of your Cybersecurity/IT security posture, contact us. We are here to help!