The basic parameters that control how hardware, software, and even entire networks operate are configurations, whether they take the form of a single configuration file or a collection of connected configurations. For instance, the default properties a firewall uses to control traffic to and from a company's network, such as block lists, port forwarding, virtual LANs, and VPN information, are stored in the firewall's configuration file.
Configuration management is now presented as a new control in the new, revised edition of ISO 27002:2022 (Control 8.9). It is a crucial component of an organization's security management. This blog will guide you through the essentials of Control 8.9.
What is Control 8.9, Configuration Management?
The Standard states that hardware, software, service, and network settings, including security configurations, should be defined, recorded, put into practice, monitored, and routinely evaluated.
ISO 27002:2022 defines configuration management as “the process of controlling and managing the changes to the hardware, software, and network configurations of an organization’s IT systems. It is the practice of identifying, documenting, and managing the configuration items (CIs) of an organization’s IT systems, such as servers, network devices, applications, and databases.”
By keeping an accurate inventory of all configuration items, regulating and monitoring changes to them, and resetting systems to a known, secure state in the event of a security incident, configuration management aims to ensure that IT systems are secure, compliant, and operating at their peak efficiency.
Configuration management should be considered in the broader framework of an organization’s asset management. Configurations are essential for ensuring a network functions correctly and protecting devices from unauthorized changes or improper alterations made by vendors or maintenance workers.
Control 8.9 is a preventative measure that seeks to reduce cyber risk by creating a set of rules specifying how an organization records, puts into practice, keeps track of, and evaluates the use of configurations across the entirety of its ecosystem. The maintenance and monitoring of data and information stored on various devices and applications is the exclusive responsibility of configuration management, which is purely an administrative effort. Ownership ought to be held by the Head of IT or a position to that effect.
Configuration Management Steps
The following steps are commonly included in the configuration management process:
- Identify and document the configuration items: Make an inventory of every piece of hardware, software, and network device, together with its configuration.
- Establish and implement the change management process: Develop a procedure for submitting, approving, and putting modifications to the configuration items into effect and recording and monitoring those modifications.
- Monitor and report: Monitor compliance and security issues with the configuration items and inform the appropriate parties if any are discovered.
- Backup and restore: Make and keep copies of the configuration items and have a procedure to return systems to a known, secure state in case of a security incident.
In general, companies must develop and implement configuration management policies for both newly installed hardware and software and any already in use. Business-critical components like security configurations, all hardware that stores configuration files, and any pertinent software applications or systems should all be covered by internal controls.
When establishing a configuration management policy, Control 8.9 urges businesses to consider every relevant role and duty, including delegating configuration ownership on a device-by-device or application-by-application basis.
Considerations for Effective Configuration Management
Configuration management should be used with the organization's security and business objectives. It should be ultimately linked with the corporate security policy and change management since, according to ISO 27002, Control 8.32, Change Management supports Control 8.9.
Whenever possible, businesses should securely configure all of their hardware, software, and systems by using standardized templates. These templates should be compatible with the organization's larger information security activities, including all pertinent ISO controls, and meet the minimal security criteria for the device, application, or system they are applicable.
IT managers should be aware of the organization's particular business needs, especially regarding security setups, as well as how practical it is to use or manage a template at any given time. The timing of reviewing these configuration templates should take into account any hardware or software changes and any emerging security threats.
In accordance with the change management control (Control 8.32), an organization is responsible for maintaining and storing configurations, including keeping a record of any modifications or new installs. The logs should include information such as the asset owner, the most recent configuration modifications' timestamps, the configuration template's current version, and any other pertinent information that aids in identifying connections to other assets or systems.
Configuration Management is more than ISO Compliance
In addition to ISO 27002:2022, more and more compliance standards and security benchmarks are realizing that Secure Configuration Management is a must, as it is an essential preventive measure to harden systems, reduce exposure to vulnerabilities, and prevent potential breaches.
For example, PCI DSS is a long-time advocate of configuration management. The standard mandates File Integrity Monitoring (FIM) to keep track of changes that may lead to configuration drift and lead assets out of compliance due to a change after it was marked as being compliant.
Organizations should deploy a wide range of techniques to monitor the operation of configuration files across their network, including automation and specialized configuration maintenance solutions. Fortra’s Tripwire Security Configuration Management solutions not only provide compliance assessments but also use FIM to track any configuration drift that can cause assets to fall out of compliance due to a change so that appropriate remediation can be taken immediately.
Let Tripwire solve your biggest security and compliance challenges. Request a demo to get started.