4.3 KiB
#iso27002/2022/EN
8.9 Configuration management
Control
Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.
Purpose
To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes.
Guidance
General
The organization should define and implement processes and tools to enforce the defined configurations (including security configurations) for hardware, software, services (e.g. cloud services) and networks, for newly installed systems as well as for operational systems over their lifetime.
Roles, responsibilities and procedures should be in place to ensure satisfactory control of all configuration changes.
Standard templates
Standard templates for the secure configuration of hardware, software, services and networks should be defined:
a) using publicly available guidance (e.g. pre-defined templates from vendors and from independent security organizations);
b) considering the level of protection needed in order to determine a sufficient level of security;
c) supporting the organization’s information security policy, topic-specific policies, standards and other security requirements;
d) considering the feasibility and applicability of security configurations in the organization’s context.
The templates should be reviewed periodically and updated when new threats or vulnerabilities need to be addressed, or when new software or hardware versions are introduced.
The following should be considered for establishing standard templates for the secure configuration of hardware, software, services and networks:
a) minimizing the number of identities with privileged or administrator level access rights;
b) disabling unnecessary, unused or insecure identities;
c) disabling or restricting unnecessary functions and services;
d) restricting access to powerful utility programs and host parameter settings;
e) synchronizing clocks;
f) changing vendor default authentication information such as default passwords immediately after installation and reviewing other important default security-related parameters;
g) invoking time-out facilities that automatically log off computing devices after a predetermined period of inactivity;
h) verifying that licence requirements have been met (see 5.32).
Managing configurations
Established configurations of hardware, software, services and networks should be recorded and a log should be maintained of all configuration changes. These records should be securely stored. This can be achieved in various ways, such as configuration databases or configuration templates.
Changes to configurations should follow the change management process (see 8.32).
Configuration records can contain as relevant:
a) up-to-date owner or point of contact information for the asset;
b) date of the last change of configuration;
c) version of configuration template;
d) relation to configurations of other assets.
Monitoring configurations
Configurations should be monitored with a comprehensive set of system management tools (e.g. maintenance utilities, remote support, enterprise management tools, backup and restore software) and should be reviewed on a regular basis to verify configuration settings, evaluate password strengths and assess activities performed. Actual configurations can be compared with the defined target templates. Any deviations should be addressed, either by automatic enforcement of the defined target configuration or by manual analysis of the deviation followed by corrective actions.
Other information
Documentation for systems often records details about the configuration of both hardware and software.
System hardening is a typical part of configuration management.
Configuration management can be integrated with asset management processes and associated tooling.
Automation is usually more effective to manage security configuration (e.g. using infrastructure as code).
Configuration templates and targets can be confidential information and should be protected from unauthorized access accordingly.