Context: Configuration Assessment
Goals: A systems initial configuration must be resistant to unauthorized access or modification of configuration and data. The system must be maintained in a resistant configuration for the life of the system and must be verified by appropriate means. System administration activities must be conducted with privileges limited to the minimum required to complete the activity.
Rationale: If the confidentiality and integrity of the data managed by the system is critical, the system must be configured and maintained in a secure state, resistant to unauthorized configuration and data modifications. To ensure that the system is maintained in that state, the configuration of the system must be verified at periodic intervals.
Requirement: The system must be configured to Metric. The configuration must be verified to Metric. Administrative functions must be conducted according to Metric.
Metric:
Level A:
A1. An independent third party will actively verify the configuration of the system at intervals no longer than three (3) years.
A2. An independent third party will actively verify the security of the application at intervals no longer than three (3) years.
A3. The security of application code will be verified by automated rule-based systems at intervals no longer than 365 days
A4. The configuration of the system will be verified by automated rule-based systems at intervals no longer than seven (7) days.
Level B:
B1. The configuration of the system will be verified by automated rule-based systems at intervals no longer than 30 days.
B2. The configuration of the system will be compared against Center for Internet Security level 1 or equivalent and differences documented
B3. A formal process exists for assessing configuration modifications prior to implementation
Level C:
C1. The configuration of the system will be verified by automated rule-based systems at intervals no longer than 90 days.
C2. An automated, systematic means of mitigating software vulnerabilities must exist.
C3. The configuration of the IT system will meet a current vendor provided standard or benchmark.
C4. Modification of system configuration is restricted to individuals that meet Security – System Awareness and Training non-functional requirement
Level D:
D1. The configuration of the IT system will meet a documented standard or benchmark
D2. The IT system patch intervals will meet requirements in Operating Instructions 5.23.1.5 Security Patch Management
Scale:
Configuration Standard: CIS Benchmark.
Patch Management Interval: Duration, <existing internal standard>
Configuration Assessment: Interval, Days
Stakeholders: System Managers, Operations, System Users
Implications: If this requirement is not met, the organization will incur significant risk of extended loss of business functionality in the event of unplanned configuration related outages.
Applicability: See Enterprise Requirements Framework
Tags: Security
Status: Approved, Requirement
Author: <Author>
Revision: <Revision>
Applicability: See Enterprise Requirements Framework
Tags: Security
Status: Approved, Requirement
Author: <Author>
Revision: <Revision>
Note:
Incorporates the traditional concepts of system hardening, code review, Vulnerability Management, Pen Tests, Patch Management and least privilege for access and modification of system configuration.
The intent of this requirement is to ensure that systems are initially configured to a secure state, and that they remain in that state over the life of the system.
- The initial condition of the system is ‘hardened’ consistent with this requirement.
- A process or method must be implemented to ensure that the system is maintained in that state over its lifetime.
- The condition of the system is verified periodically, depending on the Level within the requirement, for example by using vulnerability scans of systems and application code.
- The application code is written and tested in accordance with a formal software development practice.
- Technologies, tools frameworks and libraries are implemented in a consistently secure manner.
For more information, see NFR Summary
