Sample Configuration Management Standard:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Sample Configuration Management Standard

The Configuration Management Standard builds on the objectives established in the Asset Management Standard, and provides specific instructions and requirements for establishing and maintaining baseline protection standards for Company network devices, servers, and desktops.

Objectives

  1. General
    1. Protection standards must be established and implemented for all computing and network resources in the Company production environment.
    2. In accordance with the objectives established in the Asset Protection Standard, Company protection standards shall include specific security requirements in the following areas:
      1. Access Control
        1. Remote Access
        2. Physical Access
        3. Encryption
        4. Integrity Protection
        5. Availability Protection
        6. Anti-Virus
        7. Information Handling
        8. Auditing
    3. Sample Protection Standards must be reviewed by the Information Security Department to ensure vulnerabilities are not introduced into the Company production environment.
  2. Network Devices
    1. Each network device included in or providing access to the Company production environment shall be configured in accordance with established Company protection standards.
    2. Each network device included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, operating system (or equivalent) software, including version and revision levels, and current configuration and security settings.
    3. Network devices shall be implemented into the Company production environment in accordance with the System Development Life Cycle Standard.
    4. All changes to network devices in the Company production environment must be made in accordance with the Change Control Certification Standard and Vulnerability Assessment Standard.
    5. Network devices shall be maintained and managed to support Company threat monitoring and intrusion detection objectives.
  3. Servers
    1. Each server included in or providing access to the Company production environment shall be configured in accordance with established Company Protection Standards.
    2. Each server included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, hardware configuration, peripherals, firmware revision levels, operating system and version, revisions, and patch levels.
    3. Servers shall be implemented into the Company production environment in accordance with the System Development Life Cycle Standard.
    4. All changes to servers in the Company production environment must be made in accordance with the Change Control Certification Standard and Vulnerability Assessment Standard.
    5. Server configurations shall be checked for compliance to Company Protection Standards, at least monthly.
    6. Servers shall be maintained and managed to support Company threat monitoring and intrusion detection objectives, and be in accordance with the Threat Monitoring Standard and Incident Response Standard.
  4. Desktop Environment
    1. Standard desktop hardware and software configurations (that is, operating system, virus checking software, and common desktop tools or software) must be established, distributed, and maintained.
    2. Unauthorized hardware or software shall not be installed on desktop or mobile computers.
    3. Software packages, updates, and patches shall be distributed through approved predefined processes, and associated metrics shall be maintained, to determine success rates and compliance.
    4. All changes to standard desktop hardware or software configurations must be made in accordance with the Change Control Certification Standard and Vulnerability Assessment Standard.
    5. Desktop and mobile systems are subject to regular or unannounced audits of hardware and software to identify and remove non-compliant components.


Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.