Configuration Management
Changes to information resources shall be managed and executed according to a formal change control process. The change control process will ensure that the proposed changes are reviewed, authorized, tested, implemented, and released in a controlled manner; and that the status of each proposed change is monitored.
| Category | Sub-Category | Name | Activity |
|---|---|---|---|---|
Configuration Management | Baseline Configurations | Baseline | [The organization] ensures security hardening and baseline configuration standards have been established according to industry standards and are reviewed and updated [in accordance with the organization-defined frequency]. | |
Configuration Management | Baseline Configurations | Default "Deny- all" Settings | Where applicable, the information system default access configurations are set to "deny-all." | |
Configuration Management | Baseline Configurations | Configuration Checks | [The organization] uses mechanisms to detect deviations from baseline configurations in production environments. | |
Configuration | Baseline | Configuration | [The organization] reconciles the established device inventory against the enterprise log repository [in accordance with the organization-defined frequency]; devices which do not forward security configurations are remediated. | |
Configuration Management | Baseline Configurations | Time Clock Synchronization | Systems are configured to synchronize information system time clocks based on International Atomic Time or Coordinated Universal Time (UTC). | |
Configuration Management | Baseline Configurations | Time Clock Configuration Access | Access to modify time data is restricted to authorized personnel. | |
Configuration Management | Baseline Configurations | Default Device Passwords | Vendor-supplied default passwords are changed according to [the organization] standards prior to device installation on the [the organization] network or immediately after software or operating system installation. | |
Configuration Management | Baseline Configurations | Process Isolation | [The organization] implements only one primary function per server within the production environment; the information system maintains a separate execution domain for each executing process. | |
Configuration Management | Baseline Configurations | Collaborative Devices | Where applicable, collaborative computing devices used at [The Organization] are configured to restrict remote activation and provide an explicit indication that they are in use. | |
Configuration Management | Approved Software | Software Installation | Installation of software or programs in the production environment is approved by authorized personnel. |