Introduction
While at first glance this may seem like an odd component of an Information Security (InfoSec) program but in reality you have to know what you are protecting before you can effectively protect it.
It is almost always more difficult to implement configuration management in an organization that is currently running than a new company starting from the ground up but the reality is that very few organizations achieve this level of IT maturity during its inception and configuration management is implemented after an IT infrastructure is already implemented.
Depending on how your organization procures its IT assets you may find that a large amount of this data exists and can be easily incorporated into the configuration process by placing the configuration management process directly in line with the procurement process.
Configuration management needs to have a defined scope and objectives as well as the policies and procedures to achieve these objectives. It is recommended to start with a simple scope and adjust it as you see what works in your environment. For example, you could simply start with hardware/software configuration, asset location, and asset owner.
As you plan your configuration management process the basic tenets of configuration management are as follows:
Identify
Identify all the infrastructure assets and the ‘owner’ of this asset. The owner may be the IT group or a line of business depending on your organizational structure. The asset should have configuration documentation that can be submitted to the configuration management database. Every item should have a unique identifier so that there is no overlap in the configuration database.
Control
Ensure that all additions, modifications, and deletions to the configuration management database are supported by appropriate change request documentation. This will ensure that no new assets are added/removed or modified in your infrastructure without a log of this change.
Status
The status of an asset in the configuration database tracks the history of the asset from procurement to decommission. This not only helps identify trends with hardware/software but will ensure that assets are maintained properly and not ‘lost in the shuffle’.
Audit
Routinely review and audit the configuration management database to ensure that the assets that exist in the database are correctly recorded.
Conclusion
A good configuration management process while time consuming, will provide a strong platform from which to launch many security initiatives including patch management, network segregation, defense in depth, data protection and others. Configuration Management has close ties to change management and the processes of change management can complement the needs of configuration management.
| 