INNOVATION & TECHNOLOGY
Security-Focused Configuration Management Providing guidance and best practices for configuration management with security “top of mind”
A
s an IT service management (ITSM) and cybersecurity practitioner, it is concerning when an ITSM team is not aware of the critical role that change and configuration management play in a strong cybersecurity posture. Similarly, it is concerning when a security team defines policy around configuration management, yet isn’t working with the ITSM team to instrument those policies in the service desk. The lines of separation between the two teams have clearly become blurred and the walls of separation must come down. Configuration management must be defined based on security best practices and, at the same, time configuration management security policies must include industry best practices instrumented and automated via the ITSM team in the associated tools. Enter: security-focused configuration management Specifically, security-focused configuration management (SecCM) is the management and control of secure configurations for a system to enable security and facilitate the management of risk. SecCM builds on the general concepts, processes and activities of configuration management by focusing on the implemen20
meadowlandsmedia.com
March 2021
tation and maintenance of the established security requirements of the organization and systems. SecCM is focused on providing ITSM and security professionals with guidance and best practices for configuration management with security “top of mind.” This area of security has become so critical that the National Institute of Standards and Technology (NIST) has dedicated an entire publication to this topic. The NIST Special Publication 800-128 (NIST SP 800-128) “Guide for Security-Focused Configuration Management of Information Systems” can be found and downloaded from nist.gov directly at no charge. NIST SP 800-128 applies specifically to federal systems but, as we all know, what initially starts with federal mandates often becomes a flow-down requirement for any commercial entity providing goods and/or services to the federal government directly or through contractors. This document provides configuration management concepts, principles and recommended security controls for information systems and organizations. NIST SP 800-128 assumes that information security is an integral part of an organization’s overall configuration management procedures.
