Configuration Management: SP 800-171 Security Family 3.4
Configuration management is a collection of activities focused on establishing and maintaining the integrity of information technology products and systems through the control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the System Development Life Cycle (SDLC). Configuration management consists of determining and documenting the appropriate specific settings for a system, conducting security impact analyses, and managing changes through a change control board. It allows the entire system to be reviewed to help ensure that a change made on one system does not have adverse effects on another system.
Common secure configurations (also known as security configuration checklists) provide recognized, standardized, and established benchmarks that specify secure configuration settings for information technology platforms and products. Once implemented, checklists can be used to verify that changes to the system have been reviewed from a security point-of-view. A common audit examines the system’s configuration to see if major changes (such as connecting to the internet) have occurred that have not yet been analyzed. The NIST checklist repository, maintained as part of the National Vulnerability Database (NVD), provides multiple checklists which can be used to check compliance with the secure configuration specified in the system security plan. The checklists can be accessed at http://web.nvd.nist.gov/view/ncp/repository.
Examples of configuration management requirements include baseline configuration, configuration change control, security impact analysis, least functionality, and software usage restrictions.
Companies establish and maintain baseline configurations and inventories of company systems, including hardware, software, firmware, and documentation throughout the respective SDLC and establish and enforce security configuration settings for information technology products employed in company systems.
Related Articles
Security Assessment: SP 800-171 Security Family 3.12
A security requirement assessment is the testing and/or evaluation of the management, operational, and technical security requirements on a system to determine the extent to which the requirements are implemented correctly, operating as intended, and ...
Risk Assessment: SP 800-171 Security Family 3.11
Companies are dependent upon information technology and associated systems. While the increasing number of information technology products used in various companies and industries can be beneficial, in some instances they may also introduce serious ...
Personnel Security: SP 800-171 Security Family 3.9
Users play a vital role in protecting a system as many important issues in information security involve users, designers, implementers, and managers. How these individuals interact with the system and the level of access they need to do their jobs ...
Systems and Communications Protection: SP 800-171 Security Family 3.13
System and communications protection requirements provide an array of safeguards for the system. Some of the requirements in this family address the confidentiality information at rest and in transit. The protection of confidentiality can be provided ...
Incident Response: SP 800-171 Security Family 3.6
Systems are subject to a wide range of threat events, from corrupted data files to viruses to natural disasters. Vulnerability to some threat events can be lessened by having standard operating procedures that can be followed in the event of an ...