Policies Section
  1. Controls List
  2. Access Controls
  3. Training controls
  4. Audit Controls
  5. Certification
  6. Configuration Management
  7. Contingency Planning
  8. Authentication
  9. Incident Response
  10. Maintenance Controls
  11. Media Protection
  12. Physical Controls
  13. Security Planning
  14. Personnel Security
  15. Risk Assessment
  16. Acquisition
  17. Protection
  18. Integrity
  19. Actions and Controls
Policies Section

Configuration Management (from NIST)

This configuration management controls list and description are meant to tie configuration management controls to an activity or behavior. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.

  • Configuration management policy and procedures - Assign responsibilities and provide procedures for changes to systems or software. Provide a mechanism to enforce compliance. Provide a control to keep documentation current. (low)
  • Baseline configuration - Each system should have an established baseline configuration with documentation and an inventory of components including version numbers of all components. (low)
  • Configuration change control - Changes to systems is approved by appropriate officials. (moderate)
  • Monitoring configuration changes - Changes to systems are monitored and recorded. Analysis of the changes is done to be sure there are no adverse effects caused by the changes. (moderate)
  • Access restrictions for change - Prevents a conflict in change by only allowing one person to make changes at a time in the case of software. (moderate)
  • Configuration settings - The configuration of systems is documented and monitored. The configuration settings are to be the most restrictive that still support the business case for security reasons. (low)
  • Least functionality - This is basic server hardening where the running of unneeded services, port access, or programs is shut down on computer systems. (moderate)