Image

What Is SCM?
The National Institute of Standards and Technology (NIST) defines security configuration management as “the management and control of configurations for an information system to enable security and facilitate the management of risk.” At its heart, SCM is a digital security process that’s designed to harden digital systems against digital attacks. It can also help organizations shrink their respective attack surfaces. The purpose of SCM is to make sure an organization’s systems are properly configured to meet the organization’s security and compliance requirements. From a security standpoint, organizations need to minimize the existence of misconfigurations; malicious actors could weaponize a broken setting as an entry point into their network. This threat places the onus on organizations to define what a secure configuration baseline looks like for each of their assets and to then continuously monitor their assets for deviations. Any unexpected change could highlight the existence of a security issue. Simultaneously, organizations need to apply SCM to their compliance efforts, as many industry standards and regulations incorporate some form of this security fundamental. As such, organizations can use secure configuration management to reduce the time it takes for them to prepare for an audit. They can also use the control to obtain visibility into their post-audit compliance state. SCM can help track changes to the network and raise an alert if deviations occur. Such functionality enables the organization to return to their secure baseline state well ahead of their next audit date.How SCM Fits into an Organizational Security Strategy
Secure configuration management does not stand alone as a security control. By design, it works together with and augments other security measures. The Center for Internet Control (CIS) recognizes this fact, which is why it listed SCM fifth in its list of top security controls:- Inventory and Control of Hardware Assets: Organizations need to know which hardware assets are connected to the network.
- Inventory and Control of Software Assets: Beyond hard, it’s important to have an inventory of what embedded code, applications and services require protection.
- Continuous Vulnerability Management: Once organizations have an inventory of their hardware and software, they can scan those assets for security weaknesses and use their vulnerability management plan to prioritize fixes.
- Controlled Use of Administrative Privileges: To safeguard the network even further, organizations should control the types of resources to which employees, contractors and others have access depending on their work duties.
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: Last but not least, organizations must maintain the secure baselines of their hardware and software assets.