Configuration Management

Configuration Management (CM) has some key controls and processes concentrated in the middle of the SLDC where configuration settings and the configuration baseline are recorded, but the entire process has small pieces spread throughout the SDLC which must be considered.

Configuration managment actually begins with the recording of inventory as new objects are brought into the organization. Inventory, at first glance may seem trivial to security, but many organizations struggle with keeping their inventory process dynamically updated and accurate. Many other processes that come later in the SDLC will depend for their accuracy on how well the inventory was done and how accurately it is maintained. These include:

  • System characterization and boundary definition
  • System categorization
  • Impact assessment
  • Risk assessment
  • Patching
  • Authorization
  • Continuous monitoring

As security controls are implemented, it becomes necessary to adjust and document configuration settings to make sure the controls are working properly. Eventually, all the standard settings need to be collected into a configuration baseline.

In the continuous monitoring process, a lot of key elements of the information system and related controls are monitored. The results of this monitoring, when it detects any configuration changes must be fed into the configuration change control process. This process is designed to monitor and handle change, whether the change is planned or unplanned and simply detected by monitoring. The change control process involves the following steps:

  • Monitoring for change
  • Evaluating the change impact
  • Make a decision (approve, deny, defer)
  • Take action
    • Notification
    • Implementation
    • Documentation

At the end of the SDLC, it may become important to pay attention to protecting configuration information as equipment reaches the end of life and is discarded. In any case, configuration managment gets involved again as asset management/inventory needs to be updated when equipment is retired.