Week 19: Configuration Management (CM)

When
Every month for organizations with ongoing changes planned, every other month for organizations with medium activity or quarterly for organizations with less activity.

Why
There are different types of CM like software, network, etc. They all boil down to knowing the security state of your entire system at any given time -- no matter what changes are applied. CM, sometimes called change management, is the management of security features through control of changes made to hardware, software, firmware, documentation, test, test fixtures and test documentation of an information system (IS) throughout its development and operational life.

For the government, CM is an integral part of the system accreditation process. If you have systems that must pass certification and accreditation (C&A), you must use a CM process when ISes, new or otherwise, are under development, being procured or delivered for operation. Therefore, it's imperative that accreditation authorities be advised of CM decisions. This will ensure systems are fielded or modified within acceptable risk parameters and the latest security technology is being incorporated into system designs. This participation is most important at preliminary design and critical design reviews.

Strategy
If you don't have one, you need to create a Configuration Control Board (CCB), sometimes also called a Configuration Management Board. The board should be made up of people who are knowledgeable members of the program team and who represent key functional areas and have the authority to commit to decisions made at the CCB. You'll need a chairperson for it, like the CIO. Other members include, at a minimum, the chief system or software engineer/architect, quality assurance/control expert, functional area leads, program managers, cognizant engineers, business managers and perhaps even finance/accounting members as applicable. Voting can be optional, but I support the voting opti

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

The following policy items should be included for the CM of all systems:

--Modifying, relocating or reconfiguring of hardware or software for any system should be evaluated and approved by the CCB for your site. Hardware should not be connected to any system/network without the express written consent of the CCB, and of course documented appropriately. Modifying, installing or downloading any software may affect system accreditation, if applicable. Your policy should delineate authorized and unauthorized software and hardware.

--Participate in the development of site CM Plan (CMP).

--Establish your site's architectural baseline and maintain it.

--Preview proposed security changes that could impact your site's security posture and make approval/disapproval recommendations.

--Certify site accreditation baseline, if applicable, in coordination with the site certification authority (as required), now annually.

--Ensure all site security documentation is prepared and maintained.

Your site CMP describes how to implement and maintain configuration of your site; defines how CM is implemented as it relates to identification, control, status accounting and auditing; defines the roles of designers, developers, management, the CCB and any others in the lifecycle of present/future baseline systems and how new systems will be incorporated into the baseline; and defines CCB membership by office symbol and title.

More information
Sites like http://www.sei.cmu.edu and http://www.icmhq.com contain information sources from industry and government. There are also automated tracking programs, some resident in the operating systems, some as modules to buy and some as third-party options.

About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:securityplanner@infosecuritymag.com.

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.

Last week: Week 18: Budgets
Next week: The dreaded risk assessment

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Weekly Security Planner,   Network Security: Tools, Products, Software,   Network Device Management,   Enterprise Network Security,   Application and Platform Security,   Enterprise Vulnerability Management,   Configuration Management Planning,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Weekly Security Planner Weekly Security Planner: April Weekly Security Planner: March Weekly Security Planner: January Weekly Security Planner: February Weekly Security Planner: December Weekly Security Planner: November Weekly Security Planner: September Weekly Security Planner: August Weekly Security Planner: October Weekly Security Planner: July Network Device Management Firewall rule management best practices What are best practices for fiber optic cable security? Enterprise UTM security: The best threat management solution? Making the case for network security configuration management Know when you need IDS, IPS or both SIEM: Not for small business, nor the faint of heart Evaluating MSSP security before taking the plunge Ixia network security tool exposes problems Product Review: Deepdive's DD300 Security services: Fiberlink's MaaS360 Mobility Platform Configuration Management Planning EMC adds configuration management with Configuresoft acquisition McAfee to acquire Solidcore Systems for whitelisting Product Review: Shavlik's NetChk Compliance Security services: Fiberlink's MaaS360 Mobility Platform CISSP Essentials training: Domain 10, Operations Security 5 Steps for Developing Strong Change Management Program Best Practices Misconfiguration issues could have contributed to Hannaford breach Misconfigured networks create huge security risks Private sector should learn from government insecurity Compliance drives security configuration management Configuration Management Planning Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary OCSP  (SearchSecurity.com) trusted computing base  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.