Key Area 2: Configuration Management (CM)

Congress and IT Auditors place significant emphasis on the ability of an agency to consistently perform CM on its systems and networks. Why?

In order to consider a CM Program mature, the agency must:

• Maintain an accurate, up-to-date inventory or assets
• Classify data into sensitivity levels to prioritize configuration issues
• Routinely evaluate the security risk of configuration changes to the enterprise, including AV, FW, etc.
• Coordinate and manage the activities of numerous organizational components such as Business owners, network managers, application providers, CIO, security office, and compliance office.

Executing CM effectively drives good security