Configuration management is identified as one
of the security controls within NIST 800-53 document (National Institute of Standards and Technology, 2015) . This is not to be
confused with security configuration management or SCM as it is known. SCM is
concerned with security configurations on a system such as the Security
Technical Installation Guides available for Department of Defense systems.
Configuration management is based on defining a baseline of hardware and
software installed on a system and the policies and procedures that control and
enforce that baseline.
Beyond information security, configuration management
is one of the foundations of developing an effective information technology
program within an enterprise. While it is defined as a security control, it is
also defined in other processes such as the Information Technology
Infrastructure Library, or ITIL (HP, 2007) . Understanding the hardware
and software within an organization feeds directly into understanding the environment
and populating a configuration management database (CMDB). While configuration
management is primarily concerned with understanding what is deployed on the
network at any given time, other processes such as change management are
charged with tracking those changes and ensuring that the CMDB is updated
accordingly.
Unfortunately, configuration
management is not very easy, typically growing in complexity, difficulty and
labor requirements as the enterprise grows in size. While it seems straight
forward, keeping track of what is deployed can be very difficult. Factors such
as mission requirements, emergency changes, complex environment with multiple
operating systems and other systems, lack of training and others can each
undermine configuration management. Also, being forced to go through tedious
processes can seem cumbersome and a waste of time to personnel who simply want
to keep their systems running, meaning that it is also a cultural problem.
Given limited funding in a less than stellar economy means that staff are
likely burdened with responsibilities, most of which their job depend on and
thus will always receive priority over something as extraneous as CM.
While there are many issues with
implementing CM, it does not negate the necessity of getting it right. IT services
depend on accurate CM, especially if an organization has service level
agreements (SLAs) to meet. Failure to ensure all systems are updated (easier if
CM is accurate, can result in broken systems if corrective fixes cannot be
applied where and when needed with accuracy. Such issues in managing the IT
infrastructure are what lead to security issues where like systems are constantly
in different software versions and configurations, thus leading to
vulnerabilities on the network that can be exploited months or even years after
patches are released. Making a commitment to CM can go a long way towards
shoring up many of these issues but will likely only occur when management sees
a direct correlation between CM and the bottom line and is thus likely to be
uneven across organizations.
Works Cited
HP. (2007). ITIL v3 Configuration Management
System. Retrieved 7 2, 2015, from hp.com:
http://www.hp.com/hpinfo/newsroom/press_kits/2009/lasvegasevents2009/ITILv3CMS.pdf
National Institute of Standards and Technology.
(2013, 7). NIST.org. Retrieved 6 26, 2015, from Biometric
Specifications for Personal Identity Verification:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-76-2.pdf
No comments:
Post a Comment