Configuration management (CM)
|“||[refers to] procedures or software for tracking releases and changes to software components so that previous versions can be recreated. It can also prevent unauthorized access to files or alert appropriate users when a file has been modified or released. Hardware configuration management can be facilitated through maintenance of a database containing information about the workstations, servers, bridges, routers, and other equipment on the network.||”|
|“||applies technical and administrative direction and surveillance to identify and document the functional and physical characteristics of a Configuration Item (CI), to control changes to those characteristics, record and report change processing and implementation status, and verify the compliance of the CI with specified requirements.||”|
|“||[is] [m]anagement of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an IS.||”|
The purpose of configuration management is to establish and maintain the integrity of an organization’s systems. It involves identifying and managing security features for all hardware, software, and firmware components of an information system at a given point and systematically controlling changes to that configuration during the system’s life cycle. By implementing configuration management and establishing and maintaining baseline configurations and monitoring changes to these configurations, organizations can better ensure that only authorized applications and programs are placed into operation.
An effective configuration management process includes procedures for (1) identifying, documenting, and assigning unique identifiers (for example, serial number and name) to a system’s hardware and software parts and subparts, generally referred to as configuration items; (2) evaluating and deciding whether to approve changes to a system’s baseline configuration; (3) documenting and reporting on the status of configuration items as a system evolves; (4) determining alignment between the actual system and the documentation describing it; and (5) developing and implementing a configuration management plan for each system. In addition, establishing controls over the modification of information system components and related documentation helps to prevent unauthorized changes and ensure that only authorized systems and related program modifications are implemented. This is accomplished by instituting policies, procedures, and techniques that help make sure all hardware, software, and firmware programs and program modifications are properly authorized, tested, and approved.
Organizations should ensure that changes to systems are necessary, work as intended, and do not result in the loss of data or program integrity by documenting, authorizing, testing, and independently reviewing changes.
- Insider Threat Study, at 56.
- California Office of Systems Integration, Definitions (full-text).
- Practices for Securing Critical Information Assets, Glossary, at 53.
- Information Security: Securities and Exchange Commission Needs to Consistently Implement Effective Controls, at 11.