Information Technology Procedure IT 3.4 IT Configuration Management

Similar documents
Daxko s PCI DSS Responsibilities

Total Security Management PCI DSS Compliance Guide

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Carbon Black PCI Compliance Mapping Checklist

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Altius IT Policy Collection Compliance and Standards Matrix

Payment Card Industry (PCI) Data Security Standard

Altius IT Policy Collection Compliance and Standards Matrix

Managed Security Services - Endpoint Managed Security on Cloud

Standard Development Timeline

ISO27001 Preparing your business with Snare

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

AUTHORITY FOR ELECTRICITY REGULATION

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

SECURITY PRACTICES OVERVIEW

MIS Systems & Infrastructure Lifecycle Management 1. Week 12 April 7, 2016

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

FairWarning Mapping to PCI DSS 3.0, Requirement 10

External Supplier Control Obligations. Cyber Security

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

PeopleSoft Finance Access and Security Audit

MIS Week 9 Host Hardening

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Management and Vulnerability Assessments

LOGmanager and PCI Data Security Standard v3.2 compliance

Best Practices for PCI DSS Version 3.2 Network Security Compliance

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Standard CIP 007 3a Cyber Security Systems Security Management

Industrial Defender ASM. for Automation Systems Management

Juniper Vendor Security Requirements

The Honest Advantage

Introduction NOTE IF THE REQUEST IS APPROVED, BEFORE PROCEEDING, THE REQUESTING DEPARTMENT MUST AGREE TO BE

01.0 Policy Responsibilities and Oversight

Altius IT Policy Collection

Security Architecture

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Going Paperless & Remote File Sharing

HIPAA Assessment. Prepared For: ABC Medical Center Prepared By: Compliance Department

University of Sunderland Business Assurance PCI Security Policy

K12 Cybersecurity Roadmap

The Common Controls Framework BY ADOBE

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Client Computing Security Standard (CCSS)

Table of Contents. Policy Patch Management Version Control

Information Technology General Control Review

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Standard CIP Cyber Security Systems Security Management

ITSM20F_Umang. Number: ITSM20F Passing Score: 800 Time Limit: 120 min File Version: 4.0. Exin ITSM20F

Cellular Site Simulator Usage and Privacy

Information Security Policy

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

WHITE PAPER- Managed Services Security Practices

Information Security Office. Information Security Server Vulnerability Management Standards

Critical Cyber Asset Identification Security Management Controls

Sparta Systems Stratas Solution

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

ANZSCO Descriptions The following list contains example descriptions of ICT units and employment duties for each nominated occupation ANZSCO code. And

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

INFORMATION RESOURCE SECURITY CONFIGURATION AND MANAGEMENT

Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk

IBM Managed Security Services - Vulnerability Scanning

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Cyber Security Requirements for Electronic Safety and Security

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Epicor ERP Cloud Services Specification Multi-Tenant and Dedicated Tenant Cloud Services (Updated July 31, 2017)

Sparta Systems TrackWise Digital Solution

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

WHO AM I? Been working in IT Security since 1992

A company built on security

Version v November 2015

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

AppPulse Point of Presence (POP)

IT CONTINUITY, BACKUP AND RECOVERY POLICY

Network Detective. Prepared For: Your Customer / Prospect Prepared By: Your Company Name

Microsoft Security Management

Data Security and Privacy Principles IBM Cloud Services

Standard CIP Cyber Security Systems Security Management

University of Hawaii Hosted Website Service

CIP Cyber Security Systems Security Management

Vendor Security Questionnaire

Sparta Systems TrackWise Solution

1. SAR posted for comment (March 20, 2008). 2. SC authorized moving the SAR forward to standard development (July 10, 2008).

SECURITY & PRIVACY DOCUMENTATION

Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

State of Rhode Island Department of Administration Division of Information Technol

Version 1/2018. GDPR Processor Security Controls

Standard CIP 007 4a Cyber Security Systems Security Management

Service Description: Advanced Services- Fixed Price: Cisco UCCE Branch Advise and Implement Services (ASF-CX-G-REBPB-CE)

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Transcription:

Information Technology Procedure IT Configuration Management Contents Purpose and Scope... 1 Responsibilities... 1 Procedure... 1 Identify and Record Configuration... 2 Document Planned Changes... 3 Evaluating and Testing Changes... 3 Deploy Changes, Update... 4 Monitor As-Built Against... 4 References... 5 Exhibits... 5 Purpose and Scope This Procedure outlines how Texas Southmost College ( TSC ) controls the configuration of its network, systems and applications. It applies to all TSC managed infrastructure, but excludes systems provided to TSC as a service and hosted by the vendor, rather than on TSC s network. Responsibilities Title or Role Chief Information Officer IT Team Members What They are Responsible For Maintains and Enforces this Procedure. Responsible for implementing this Procedure. Procedure This Procedure defines how TSC defines and maintains a controlled information technology environment, including how changes to network components, servers and applications are evaluated, tested and deployed to the production environment, and how TSC protects itself from unplanned changes to that environment. Configuration Management is a key part of managing the overall risk to the TSC organization. IT Configuration Management 1 of 5 Last Updated: 5/16/2018 11:40 AM

Below are a few key terms: Configuration Management (CM) comprises a collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems. A Configuration Item (CI) is an identifiable part of a system (e.g., hardware, software, firmware, documentation, or a combination thereof) that is a discrete target of configuration control processes. A Configuration is a set of specifications for a system, or CI within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes. Configuration Change Control process for managing updates to the baseline configurations for the configuration items. Configuration Monitoring process for assessing or testing the level of compliance with the established baseline configuration and mechanisms for reporting on the configuration status of items placed under CM. The diagram below shows the key elements of the configuration management process. These same steps apply to management of the overall environment, and to individual Configuration Items. Document Planned Changes Monitor As-Built Against Identify and Record Configuration Evaluate/ Test Changes Deploy Changes, Update Having a known baseline configuration allows more rapid detection of system compromise, and speeds restoration to a known state in the event of either a security event or a system failure. The rest of this Procedure defines expectations for each phase of this process. Identify and Record Configuration There are two key elements to this: IT Configuration Management 2 of 5 Last Updated: 5/16/2018 11:40 AM

1) Maintaining a configuration database that is an inventory of all hardware components, the software running on them, and their configuration. 2) Defining standardized configurations and images for servers, workstations, and network components that are used as the starting point when building out new systems. When possible, National Institute of Standards and Technology (NIST) hardening guidelines should be followed when creating standardized configurations and images. This excludes equipment attached to the public wireless network, and equipment brought in by event coordinators and attached to the event network. TSC will maintain a consolidated inventory of all TSC owned hardware and the software running on them, leveraging software tools as they are available. This inventory will include all systems either on the TSC network or at TSC data centers, and will also include software as a service (SaaS) systems that are integrated with TSC systems. For SaaS systems, the focus will be on the system business purpose and its integrations. Details of the SaaS application infrastructure are not required. IT must be involved in the selection, acquisition and integration of SaaS applications, including any significant changes to the integration, as with any other system change. TSC will define secure baseline configurations for each system type (workstations, network devices, servers, etc.). These baseline configurations where possible will be captured as images, and will be used as the starting point when building out new components. Document Planned Changes ITSec 3.4.1, Change Management Procedure, addresses the process for documenting and approving planned changes. All planned changes must be reviewed and approved prior to execution. Some examples of changes include: 1) Adding new hardware or hardware components to the TSC environment 2) Removing hardware from the environment 3) Installing new software 4) Removing software 5) Software or firmware upgrades 6) Patching 7) Network Configuration changes (outside of routine changes required for supporting day-to-day operations). This includes any wireless configuration changes. 8) Other configuration changes (scheduling new automated tasks, changing firewall, router or switch configurations, etc.). Normal infrastructure updates done in the normal course of business are not considered changes. Examples would include enabling/disabling user accounts. However, changes that affect the infrastructure s configuration or structure (new devices, enabling or disabling services, or changes to firewall or routing rules that affect the function of the infrastructure) are included. Evaluating and Testing Changes Each change must be evaluated based on: a) The risk of disrupting business operations. IT Configuration Management 3 of 5 Last Updated: 5/16/2018 11:40 AM

b) The potential impact on the security of the TSC network and systems. c) Consultation with Subject Matter Experts (SMEs). d) The business need for the change. e) Awareness of the change within the parts of the business affected by it. The requester and reviewer(s) must address these two key issues. Whenever possible, the change should first be tested in an environment that minimizes the risk of disrupting business operations. This could be a non-production environment or it can be a system that is less mission-critical. Details of the testing performed should be documented as part of the change control, including who did the testing and where it was performed. Once the change has been evaluated and tested if possible, the reviewer can approve the change for deployment to production. Deploy Changes, Update Once the change has been reviewed, evaluated, tested and approved, it can be deployed to production in accordance with the timeline outlined in the change control. It is the responsibility of the individual deploying the change to also update the configuration database to reflect the change(s) made, and if applicable, to also update baseline configurations and images to reflect the change. The change control shall be updated with the following: 1) Time the change was made 2) Any issues encountered during the deployment 3) Confirmation that the configuration database and baseline configuration were updated. If there are unanticipated side effects caused by the change (e.g. a disruption in IT services or business operations), the change should be rolled back and the change control updated, including with any follow-on investigation and resolution of the issue. If the issue is subsequently resolved, the old change control should be closed, and a new change control should be created that refers to the old change control to implement the subsequent change. This will ensure that a clear audit trail exists of all changes, including those that are subsequently rolled back. Monitor As-Built Against At least annually, but also as required, the IT team will do a self-audit of the as-built configurations of all servers and network components against the configuration database, and investigate and resolve any discrepancies. This monitoring can be accomplished either manually, or using software tools specifically for this purpose. Firewall and router rule sets must be reviewed every 6 months. A procedure must be put in place documenting these reviews. Note: This addresses PCI requirement 1.1.7. File Integrity software must be used to alert personnel to unauthorized modification (including changes, additions and deletions) of critical system files, configuration files, or content files. The software shall perform critical file comparisons at least weekly. Critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the IT team. IT Configuration Management 4 of 5 Last Updated: 5/16/2018 11:40 AM

Note: This addresses PCI requirement 11.5. References This section contains any 3 rd party standards, guidelines, or other policies referenced by this Procedure. 1. NIST Special Publication 800-128, Guide for Security-Focused Configuration Management of Information Systems 2. Payment Card Industry (PCI) Data Security Standard, v3.2 Exhibits No Exhibits for this Procedure. IT Configuration Management 5 of 5 Last Updated: 5/16/2018 11:40 AM

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback