Sample Configuration Management Standard:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
==Document History==
==Sample Configuration Management Standard==
The Configuration Management Standard builds on the objectives established in the [[Sample_Asset_Management_Policy:|'''Asset Management Standard''']], and provides specific instructions and requirements for establishing and maintaining baseline protection standards for Company network devices, servers, and desktops.
 
==Objectives==
# '''General'''
## Protection standards must be established and implemented for all computing and network resources in the Company production environment.
## In accordance with the objectives established in the Asset Protection Standard, Company protection standards shall include specific security requirements in the following areas:
### Access Control
#### Remote Access
#### Physical Access
#### Encryption
#### Integrity Protection
#### Availability Protection
#### Anti-Virus
#### Information Handling
#### Auditing
## Sample Protection Standards must be reviewed by the Information Security Department to ensure vulnerabilities are not introduced into the Company production environment.
# '''Network Devices'''
## Each network device included in or providing access to the Company production environment shall be configured in accordance with established Company protection standards.
## Each network device included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, operating system (or equivalent) software, including version and revision levels, and current configuration and security settings.
## Network devices shall be implemented into the Company production environment in accordance with the System Development Life Cycle Standard.
## All changes to network devices in the Company production environment must be made in accordance with the Change Control Standard and Vulnerability Assessment Standard.
## Network devices shall be maintained and managed to support Company threat monitoring and intrusion detection objectives.
# '''Servers'''
## Each server included in or providing access to the Company production environment shall be configured in accordance with established Company Protection Standards.
## Each server included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, hardware configuration, peripherals, firmware revision levels, operating system and version, revisions, and patch levels.
## Servers shall be implemented into the Company production environment in accordance with the [[Sample_System_Development_Life_Cycle_Standard:|'''System Development Life Cycle Standard''']].
## All changes to servers in the Company production environment must be made in accordance with the [[[Sample_Change_Control_Standard:|'''Change Control Certification Standard''']] and [[Sample_Vulnerability_Assessment_Standard:|'''Vulnerability Assessment Standard''']].
## Server configurations shall be checked for compliance to Company Protection Standards, at least monthly.
## Servers shall be maintained and managed to support Company threat monitoring and intrusion detection objectives, and be in accordance with the [[Sample_Threat_Monitoring_Standard:|'''Threat Monitoring Standard''']] and [[Sample_Incident_Response_Standard:|'''Incident Response Standard''']].
# '''Desktop Environment'''
## Standard desktop hardware and software configurations (that is, operating system, virus checking software, and common desktop tools or software) must be established, distributed, and maintained.
## Unauthorized hardware or software shall not be installed on desktop or mobile computers.
## Software packages, updates, and patches shall be distributed through approved predefined processes, and associated metrics shall be maintained, to determine success rates and compliance.
## All changes to standard desktop hardware or software configurations must be made in accordance with the [[[Sample_Change_Control_Standard:|'''Change Control Certification Standard''']] and [[Sample_Vulnerability_Assessment_Standard:|'''Vulnerability Assessment Standard''']].
## Desktop and mobile systems are subject to regular or unannounced audits of hardware and software to identify and remove non-compliant components.
<br>
<br>
{| id="table1" width="100%" border="1"
 
| bgcolor="#C0C0C0" | '''Version'''
==Document Examples==
| bgcolor="#C0C0C0" | '''Date'''
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br>
| bgcolor="#C0C0C0" | '''Revised By'''
| bgcolor="#C0C0C0" | '''Description'''
|-
| 1.0
| 1 January 2010 <Current date>
| Michael D. Peters '''<Owners's name>'''
| This version replaces any prior version.
|}
<br>
==Document Certification==
<br>
{| id="table1" width="100%" border="1"
| bgcolor="#C0C0C0" | '''Description'''
| bgcolor="#C0C0C0" | '''Date Parameters'''
|-
| '''Designated document recertification cycle in days:'''
| 30 - 90 - 180 - '''365''' '''<Select cycle>'''
|-
| '''Next document recertification date:'''
| 1 January 2011 '''<Date>'''
|}
<br>
<br>
<gallery>
Image:Configuration Management Standard.png|Configuration Management Standard page one of nine.
Image:Configuration Management Standard(1).png|Configuration Management Standard page two of nine.
Image:Configuration Management Standard(2).png|Configuration Management Standard page three of nine.
Image:Configuration Management Standard(3).png|Configuration Management Standard page four of nine.
Image:Configuration Management Standard(4).png|Configuration Management Standard page five of nine.
Image:Configuration Management Standard(5).png|Configuration Management Standard page six of nine.
Image:Configuration Management Standard(6).png|Configuration Management Standard page seven of nine.
Image:Configuration Management Standard(7).png|Configuration Management Standard page eight of nine.
Image:Configuration Management Standard(8).png|Configuration Management Standard page nine of nine.
</gallery>


=='''Sample Configuration Management Standard'''==
[[file:Configuration Management Standard.png]]
<br>
[[file:Configuration Management Standard(1).png]]
The '''<Your Company Name>''' (the "Company") [[Sample Asset Management Policy:|'''Sample Asset Management Policy''']] defines objectives for establishing specific standards for properly managing the Company Information Technology infrastructure, including networks, systems, and applications that store, process, and transmit information assets.<br>
[[file:Configuration Management Standard(2).png]]
<br>
[[file:Configuration Management Standard(3).png]]
This Configuration Management Standard builds on the objectives established in the [[Sample Asset Management Policy:|'''Sample Asset Management Policy''']], and provides specific instructions and requirements for establishing and maintaining baseline protection standards for Company network devices, servers, and desktops.<br>
[[file:Configuration Management Standard(4).png]]
<br>
[[file:Configuration Management Standard(5).png]]
=='''I. Scope'''==
[[file:Configuration Management Standard(6).png]]
<br>
[[file:Configuration Management Standard(7).png]]
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.<br>
[[file:Configuration Management Standard(8).png]]
<br>
'''Configuration Management''' refers to a collection of related processes pertaining to systems configuration that include functions such as hardware and software tracking; standard configurations and computing environments; and periodic auditing and compliance checking.<br>
<br>
'''Information assets''' are defined in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
<br>
'''Protection standard''' refers to the required security configuration for a network device or system.<br>
<br>
=='''II. Requirements'''==
<br>
:'''A. General'''<br>
<br>
::1. Protection standards must be established and implemented for all computing and network resources in the Company production environment.<br>
<br>
::2. In accordance with the objectives established in the [[Sample Asset Protection Policy:|'''Sample Asset Protection Policy''']], Company [[Sample Asset Protection Standards:|'''Sample Protection Standards''']] shall include specific security requirements in the following areas:<br>
<br>
::*Access Control<br>
::*Remote Access<br>
::*Physical Access<br>
::*Encryption<br>
::*Integrity Protection<br>
::*Availability Protection<br>
::*Anti-Virus<br>
::*Information Handling<br>
::*Auditing<br>
<br>
::3. [[Sample Asset Protection Standards:|'''Sample Protection Standards''']] must be reviewed by the Information Security Department to ensure vulnerabilities are not introduced into the Company production environment.<br>
<br>
:'''B. Network Devices'''<br>
<br>
::1. Each network device included in or providing access to the Company production environment shall be configured in accordance with established Company protection standards.<br>
<br>
::2. Each network device included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, operating system (or equivalent) software, including version and revision levels, and current configuration and security settings.<br>
<br>
::3. Network devices shall be implemented into the Company production environment in accordance with the [[Sample Life Cycle Management Standard:|'''Sample Life Cycle Management Standard''']].<br>
<br>
::4. All changes to network devices in the Company production environment must be made in accordance with the Change Control Standard and [[Sample Vulnerability Assessment Standard:|'''Sample Vulnerability Assessment Standard''']].<br>
<br>
::5. Network devices shall be maintained and managed to support Company threat monitoring and intrusion detection objectives.<br>
<br>
:'''C. Servers'''<br>
<br>
::1. Each server included in or providing access to the Company production environment shall be configured in accordance with established Company [[Sample Asset Protection Standards:|'''Sample Protection Standards''']].<br>
<br>
::2. Each server included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, hardware configuration, peripherals, firmware revision levels, operating system and version, revisions, and patch levels.<br>
<br>
::3. Servers shall be implemented into the Company production environment in accordance with the [[Sample Life Cycle Management Standard:|'''Sample Life Cycle Management Standard''']].<br>
<br>
::4. All changes to servers in the Company production environment must be made in accordance with the [[Sample Change Control Standard:|'''Sample Change Control Standard''']] and [[Sample Vulnerability Assessment Standard:|'''Sample Vulnerability Assessment Standard''']].<br>
<br>
::5. Server configurations shall be checked for compliance to Company [[Sample Asset Protection Standards:|'''Sample Protection Standards''']], at least monthly.<br>
<br>
::6. Servers shall be maintained and managed to support Company threat monitoring and intrusion detection objectives, and be in accordance with the [[Sample Threat Monitoring Standard:|'''Sample Threat Monitoring Standard''']] and [[Sample Incident Response Standard:|'''Sample Incident Response Standard''']].<br>
<br>
:'''D. Desktop Environment'''<br>
<br>
::1. Standard desktop hardware and software configurations (that is, operating system, virus checking software, and common desktop tools or software) must be established, distributed, and maintained.<br>
<br>
::2. Unauthorized hardware or software shall not be installed on desktop or mobile computers.<br>
<br>
::3. Software packages, updates, and patches shall be distributed electronically, and associated metrics shall be maintained, to determine success rates and compliance.<br>
<br>
::4. All changes to standard desktop hardware or software configurations must be made in accordance with the [[Sample Change Control Standard:|'''Sample Change Control Standard''']] and [[Sample Vulnerability Assessment Standard:|'''Sample Vulnerability Assessment Standard''']].<br>
<br>
::5. Desktop and mobile systems are subject to regular or unannounced audits of hardware and software to identify and remove non-compliant components.<br>
<br>
=='''III. Responsibilities'''==
<br>
The Chief Information Security Officer (CISO) approves the Configuration Management Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Configuration Management Standard.<br>
<br>
Company management, including senior management and department managers, is accountable for ensuring that the Configuration Management Standard is properly communicated and understood within its respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Configuration Management Standard.<br>
<br>
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Configuration Management Standard; coordinating with the Information Security Department to ensure that Company protection standards are properly established and maintained; and ensuring that accurate and updated information on network devices and servers in the production environment is retained.<br>
<br>
Asset Custodians (Custodians) are the managers, administrators, and those designated by the Owner to manage, process, or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information; coordinating with the Information Security Department to ensure that Company protection standards are properly established and maintained; configuring network devices, servers, and desktop systems in the Company production environment in accordance with established Company protection standards; retaining and updating accurate information on network devices and servers in the production environment; and cooperating with the Information Security Department and/or the Audit Department in efforts to check production servers for compliance to established Company protection standards.<br>
<br>
Users are the individuals, groups, or organizations authorized by the Owner to access information assets. Users are responsible for familiarizing and complying with the Configuration Management Standard and associated guidelines; following Company-approved processes and procedures to request authorization to install hardware or software on their desktop or mobile system; ensuring desktop and mobile systems are available for automated updates; and maintaining the confidentiality, integrity and availability of information accessed, consistent with the Owner's approved safeguards while under the User's control.<br>
<br>
=='''IV. Enforcement and Exception Handling'''==
<br>
Failure to comply with the Configuration Management Standard and associated guidelines and procedures can result in disciplinary actions, up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
<br>
Requests for exceptions to the Configuration Management Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Configuration Management Standard.<br>
<br>
=='''V. Review and Revision'''==
<br>
The Configuration Management Standard will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
<br>
Approved: _______________________________________________________<br>
<br>
::Signature<br>
<br>
::<Insert Name><br>
<br>
::Chief Information Security Officer<br>
<br>

Revision as of 21:17, 15 January 2014

Sample Configuration Management Standard

The Configuration Management Standard builds on the objectives established in the Asset Management Standard, and provides specific instructions and requirements for establishing and maintaining baseline protection standards for Company network devices, servers, and desktops.

Objectives

  1. General
    1. Protection standards must be established and implemented for all computing and network resources in the Company production environment.
    2. In accordance with the objectives established in the Asset Protection Standard, Company protection standards shall include specific security requirements in the following areas:
      1. Access Control
        1. Remote Access
        2. Physical Access
        3. Encryption
        4. Integrity Protection
        5. Availability Protection
        6. Anti-Virus
        7. Information Handling
        8. Auditing
    3. Sample Protection Standards must be reviewed by the Information Security Department to ensure vulnerabilities are not introduced into the Company production environment.
  2. Network Devices
    1. Each network device included in or providing access to the Company production environment shall be configured in accordance with established Company protection standards.
    2. Each network device included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, operating system (or equivalent) software, including version and revision levels, and current configuration and security settings.
    3. Network devices shall be implemented into the Company production environment in accordance with the System Development Life Cycle Standard.
    4. All changes to network devices in the Company production environment must be made in accordance with the Change Control Standard and Vulnerability Assessment Standard.
    5. Network devices shall be maintained and managed to support Company threat monitoring and intrusion detection objectives.
  3. Servers
    1. Each server included in or providing access to the Company production environment shall be configured in accordance with established Company Protection Standards.
    2. Each server included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, hardware configuration, peripherals, firmware revision levels, operating system and version, revisions, and patch levels.
    3. Servers shall be implemented into the Company production environment in accordance with the System Development Life Cycle Standard.
    4. All changes to servers in the Company production environment must be made in accordance with the [[[Sample_Change_Control_Standard:|Change Control Certification Standard]] and Vulnerability Assessment Standard.
    5. Server configurations shall be checked for compliance to Company Protection Standards, at least monthly.
    6. Servers shall be maintained and managed to support Company threat monitoring and intrusion detection objectives, and be in accordance with the Threat Monitoring Standard and Incident Response Standard.
  4. Desktop Environment
    1. Standard desktop hardware and software configurations (that is, operating system, virus checking software, and common desktop tools or software) must be established, distributed, and maintained.
    2. Unauthorized hardware or software shall not be installed on desktop or mobile computers.
    3. Software packages, updates, and patches shall be distributed through approved predefined processes, and associated metrics shall be maintained, to determine success rates and compliance.
    4. All changes to standard desktop hardware or software configurations must be made in accordance with the [[[Sample_Change_Control_Standard:|Change Control Certification Standard]] and Vulnerability Assessment Standard.
    5. Desktop and mobile systems are subject to regular or unannounced audits of hardware and software to identify and remove non-compliant components.


Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.