Sample Configuration Management Standard:
Sample Configuration Management Standard
The <Your Company Name> (the "Company") Sample Asset Management Policy defines objectives for establishing specific standards for properly managing the Company Information Technology infrastructure, including networks, systems, and applications that store, process, and transmit information assets.
This Configuration Management Standard builds on the objectives established in the Sample Asset Management Policy, and provides specific instructions and requirements for establishing and maintaining baseline protection standards for Company network devices, servers, and desktops.
I. Scope
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.
Configuration Management refers to a collection of related processes pertaining to systems configuration that include functions such as hardware and software tracking; standard configurations and computing environments; and periodic auditing and compliance checking.
Information assets are defined in the Sample Asset Identification and Classification Policy.
Protection standard refers to the required security configuration for a network device or system.
II. Requirements
- A. General
- 1. Protection standards must be established and implemented for all computing and network resources in the Company production environment.
- 1. Protection standards must be established and implemented for all computing and network resources in the Company production environment.
- 2. In accordance with the objectives established in the Sample Asset Protection Policy, Company Sample Protection Standards shall include specific security requirements in the following areas:
- 2. In accordance with the objectives established in the Sample Asset Protection Policy, Company Sample Protection Standards shall include specific security requirements in the following areas:
- Access Control
- Remote Access
- Physical Access
- Encryption
- Integrity Protection
- Availability Protection
- Anti-Virus
- Information Handling
- Auditing
- Access Control
- 3. Sample Protection Standards must be reviewed by the Information Security Department to ensure vulnerabilities are not introduced into the Company production environment.
- 3. Sample Protection Standards must be reviewed by the Information Security Department to ensure vulnerabilities are not introduced into the Company production environment.
- B. Network Devices
- 1. Each network device included in or providing access to the Company production environment shall be configured in accordance with established Company protection standards.
- 1. Each network device included in or providing access to the Company production environment shall be configured in accordance with established Company protection standards.
- 2. Each network device included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, operating system (or equivalent) software, including version and revision levels, and current configuration and security settings.
- 2. Each network device included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, operating system (or equivalent) software, including version and revision levels, and current configuration and security settings.
- 3. Network devices shall be implemented into the Company production environment in accordance with the Sample Life Cycle Management Standard.
- 3. Network devices shall be implemented into the Company production environment in accordance with the Sample Life Cycle Management Standard.
- 4. All changes to network devices in the Company production environment must be made in accordance with the Change Control Standard and Sample Vulnerability Assessment Standard.
- 4. All changes to network devices in the Company production environment must be made in accordance with the Change Control Standard and Sample Vulnerability Assessment Standard.
- 5. Network devices shall be maintained and managed to support Company threat monitoring and intrusion detection objectives.
- 5. Network devices shall be maintained and managed to support Company threat monitoring and intrusion detection objectives.
- C. Servers
- 1. Each server included in or providing access to the Company production environment shall be configured in accordance with established Company Sample Protection Standards.
- 1. Each server included in or providing access to the Company production environment shall be configured in accordance with established Company Sample Protection Standards.
- 2. Each server included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, hardware configuration, peripherals, firmware revision levels, operating system and version, revisions, and patch levels.
- 2. Each server included in or providing access to the Company production environment shall be uniquely identified, with information retained regarding its physical location, hardware configuration, peripherals, firmware revision levels, operating system and version, revisions, and patch levels.
- 3. Servers shall be implemented into the Company production environment in accordance with the Sample Life Cycle Management Standard.
- 3. Servers shall be implemented into the Company production environment in accordance with the Sample Life Cycle Management Standard.
- 4. All changes to servers in the Company production environment must be made in accordance with the Sample Change Control Standard and Sample Vulnerability Assessment Standard.
- 4. All changes to servers in the Company production environment must be made in accordance with the Sample Change Control Standard and Sample Vulnerability Assessment Standard.
- 5. Server configurations shall be checked for compliance to Company Sample Protection Standards, at least monthly.
- 5. Server configurations shall be checked for compliance to Company Sample Protection Standards, at least monthly.
- 6. Servers shall be maintained and managed to support Company threat monitoring and intrusion detection objectives, and be in accordance with the Sample Threat Monitoring Standard and Sample Incident Response Standard.
- 6. Servers shall be maintained and managed to support Company threat monitoring and intrusion detection objectives, and be in accordance with the Sample Threat Monitoring Standard and Sample Incident Response Standard.
- D. Desktop Environment
- 1. Standard desktop hardware and software configurations (that is, operating system, virus checking software, and common desktop tools or software) must be established, distributed, and maintained.
- 1. Standard desktop hardware and software configurations (that is, operating system, virus checking software, and common desktop tools or software) must be established, distributed, and maintained.
- 2. Unauthorized hardware or software shall not be installed on desktop or mobile computers.
- 2. Unauthorized hardware or software shall not be installed on desktop or mobile computers.
- 3. Software packages, updates, and patches shall be distributed electronically, and associated metrics shall be maintained, to determine success rates and compliance.
- 3. Software packages, updates, and patches shall be distributed electronically, and associated metrics shall be maintained, to determine success rates and compliance.
- 4. All changes to standard desktop hardware or software configurations must be made in accordance with the Sample Change Control Standard and Sample Vulnerability Assessment Standard.
- 4. All changes to standard desktop hardware or software configurations must be made in accordance with the Sample Change Control Standard and Sample Vulnerability Assessment Standard.
- 5. Desktop and mobile systems are subject to regular or unannounced audits of hardware and software to identify and remove non-compliant components.
- 5. Desktop and mobile systems are subject to regular or unannounced audits of hardware and software to identify and remove non-compliant components.
III. Responsibilities
The Chief Information Security Officer (CISO) approves the Configuration Management Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Configuration Management Standard.
Company management, including senior management and department managers, is accountable for ensuring that the Configuration Management Standard is properly communicated and understood within its respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Configuration Management Standard.
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Configuration Management Standard; coordinating with the Information Security Department to ensure that Company protection standards are properly established and maintained; and ensuring that accurate and updated information on network devices and servers in the production environment is retained.
Asset Custodians (Custodians) are the managers, administrators, and those designated by the Owner to manage, process, or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information; coordinating with the Information Security Department to ensure that Company protection standards are properly established and maintained; configuring network devices, servers, and desktop systems in the Company production environment in accordance with established Company protection standards; retaining and updating accurate information on network devices and servers in the production environment; and cooperating with the Information Security Department and/or the Audit Department in efforts to check production servers for compliance to established Company protection standards.
Users are the individuals, groups, or organizations authorized by the Owner to access information assets. Users are responsible for familiarizing and complying with the Configuration Management Standard and associated guidelines; following Company-approved processes and procedures to request authorization to install hardware or software on their desktop or mobile system; ensuring desktop and mobile systems are available for automated updates; and maintaining the confidentiality, integrity and availability of information accessed, consistent with the Owner's approved safeguards while under the User's control.
IV. Enforcement and Exception Handling
Failure to comply with the Configuration Management Standard and associated guidelines and procedures can result in disciplinary actions, up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Configuration Management Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Configuration Management Standard.
V. Review and Revision
The Configuration Management Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Security Officer
- Chief Information Security Officer