Sample Configuration Management Standard:: Difference between revisions
Jump to navigation
Jump to search
| (2 intermediate revisions by the same user not shown) | |||
| Line 19: | Line 19: | ||
## Each network device included in or providing access to the Company production environment shall be configured in accordance with established Company protection standards. | ## Each network device included in or providing access to the Company production environment shall be configured in accordance with established Company protection standards. | ||
## Each network device included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, operating system (or equivalent) software, including version and revision levels, and current configuration and security settings. | ## Each network device included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, operating system (or equivalent) software, including version and revision levels, and current configuration and security settings. | ||
## Network devices shall be implemented into the Company production environment in accordance with the System Development Life Cycle Standard. | ## Network devices shall be implemented into the Company production environment in accordance with the [[Sample_System_Development_Life_Cycle_Standard:|'''System Development Life Cycle Standard''']]. | ||
## All changes to network devices in the Company production environment must be made in accordance with the Change Control Standard and Vulnerability Assessment Standard. | ## All changes to network devices in the Company production environment must be made in accordance with the [[Sample_Change_Control_Standard:|'''Change Control Certification Standard''']] and [[Sample_Vulnerability_Assessment_Standard:|'''Vulnerability Assessment Standard''']]. | ||
## Network devices shall be maintained and managed to support Company threat monitoring and intrusion detection objectives. | ## Network devices shall be maintained and managed to support Company threat monitoring and intrusion detection objectives. | ||
# '''Servers''' | # '''Servers''' | ||
| Line 33: | Line 33: | ||
## Unauthorized hardware or software shall not be installed on desktop or mobile computers. | ## Unauthorized hardware or software shall not be installed on desktop or mobile computers. | ||
## Software packages, updates, and patches shall be distributed through approved predefined processes, and associated metrics shall be maintained, to determine success rates and compliance. | ## Software packages, updates, and patches shall be distributed through approved predefined processes, and associated metrics shall be maintained, to determine success rates and compliance. | ||
## All changes to standard desktop hardware or software configurations must be made in accordance with the | ## All changes to standard desktop hardware or software configurations must be made in accordance with the [[Sample_Change_Control_Standard:|'''Change Control Certification Standard''']] and [[Sample_Vulnerability_Assessment_Standard:|'''Vulnerability Assessment Standard''']]. | ||
## Desktop and mobile systems are subject to regular or unannounced audits of hardware and software to identify and remove non-compliant components. | ## Desktop and mobile systems are subject to regular or unannounced audits of hardware and software to identify and remove non-compliant components. | ||
<br> | <br> | ||
| Line 51: | Line 51: | ||
Image:Configuration Management Standard(8).png|Configuration Management Standard page nine of nine. | Image:Configuration Management Standard(8).png|Configuration Management Standard page nine of nine. | ||
</gallery> | </gallery> | ||
Latest revision as of 21:56, 15 January 2014
Sample Configuration Management Standard
The Configuration Management Standard builds on the objectives established in the Asset Management Standard, and provides specific instructions and requirements for establishing and maintaining baseline protection standards for Company network devices, servers, and desktops.
Objectives
- General
- Protection standards must be established and implemented for all computing and network resources in the Company production environment.
- In accordance with the objectives established in the Asset Protection Standard, Company protection standards shall include specific security requirements in the following areas:
- Access Control
- Remote Access
- Physical Access
- Encryption
- Integrity Protection
- Availability Protection
- Anti-Virus
- Information Handling
- Auditing
- Access Control
- Sample Protection Standards must be reviewed by the Information Security Department to ensure vulnerabilities are not introduced into the Company production environment.
- Network Devices
- Each network device included in or providing access to the Company production environment shall be configured in accordance with established Company protection standards.
- Each network device included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, operating system (or equivalent) software, including version and revision levels, and current configuration and security settings.
- Network devices shall be implemented into the Company production environment in accordance with the System Development Life Cycle Standard.
- All changes to network devices in the Company production environment must be made in accordance with the Change Control Certification Standard and Vulnerability Assessment Standard.
- Network devices shall be maintained and managed to support Company threat monitoring and intrusion detection objectives.
- Servers
- Each server included in or providing access to the Company production environment shall be configured in accordance with established Company Protection Standards.
- Each server included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, hardware configuration, peripherals, firmware revision levels, operating system and version, revisions, and patch levels.
- Servers shall be implemented into the Company production environment in accordance with the System Development Life Cycle Standard.
- All changes to servers in the Company production environment must be made in accordance with the Change Control Certification Standard and Vulnerability Assessment Standard.
- Server configurations shall be checked for compliance to Company Protection Standards, at least monthly.
- Servers shall be maintained and managed to support Company threat monitoring and intrusion detection objectives, and be in accordance with the Threat Monitoring Standard and Incident Response Standard.
- Desktop Environment
- Standard desktop hardware and software configurations (that is, operating system, virus checking software, and common desktop tools or software) must be established, distributed, and maintained.
- Unauthorized hardware or software shall not be installed on desktop or mobile computers.
- Software packages, updates, and patches shall be distributed through approved predefined processes, and associated metrics shall be maintained, to determine success rates and compliance.
- All changes to standard desktop hardware or software configurations must be made in accordance with the Change Control Certification Standard and Vulnerability Assessment Standard.
- Desktop and mobile systems are subject to regular or unannounced audits of hardware and software to identify and remove non-compliant components.
Document Examples
Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.
-
Configuration Management Standard page one of nine.
-
Configuration Management Standard page two of nine.
-
Configuration Management Standard page three of nine.
-
Configuration Management Standard page four of nine.
-
Configuration Management Standard page five of nine.
-
Configuration Management Standard page six of nine.
-
Configuration Management Standard page seven of nine.
-
Configuration Management Standard page eight of nine.
-
Configuration Management Standard page nine of nine.
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)