Configuration Management
Under ISO/IEC 27001:2022, the new Annex A 8.9 control objective, like all other controls, reads rather vaguely:
“Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.”
ISO 27001 Annex A 8.9’s expectations
Configuration management is an IT-related task defined by the ISO/IEC 27002:2022 framework as a Preventative Control. There is no hidden agenda or meaning to 8.9, and it refers directly to how an organisation manages the configuration of hardware, software, services and networks. ISO does not want to see any keyboard cowboys within your network. Instead, the organisation should:
“define and implement processes and tools to enforce the defined configurations (including security configurations) for hardware, software, services (e.g. cloud services) and networks, for newly installed systems as well as for operational systems over their lifetime”.
You also need to ensure that controls are in place so that only those individuals responsible for configuration management are undertaking changes and that these changes are following the correct procedures. For example, if you decide to implement data loss prevention controls through your cloud provider, you must follow a change management plan approved by your Change Advisory Board (CAB) or equivalent.
ISO 27002 configuration management implementation advice
If you’ve been around long enough, you would have come across varying forms of configuration management in one form or another. You may have developed a standard operating environment (SOE) used to build new servers, workstations or laptops. “Gold images” and other terms for master images have been used for running up defined configurations of virtual machines. Or, if you have been around a really long time, you may have used the old Ghost program to automate the build of hundreds of desktops. These are all varying forms or components of what 8.9 is looking for. A defined, secure starting point that can be applied consistently across your environments.
Realistically, most organisations may already be fulfilling the requirements of 8.9. For example, the recommended standard templates for secure configuration include:
- Ensuring privileged or admin access is limited to only those who require it for their role.
- Undertaking access control reviews to ensure unnecessary, unused or insecure identities are removed.
- Ensuring unnecessary or unused functions and services are disabled.
- Making sure only those who need access to utility programs such as antivirus, backup and disk tools are limited to high-level IT personnel who require access for their roles.
- Synchronising clocks.
- Making sure default passwords are changed.
- Invoking time-out facilities, and
- Making sure the organisation meets the licencing requirements of products.
You should be doing all the above; if you are not, then you better start. You would be shocked at how many organisations do not change default passwords, which is probably why the 27002 framework has included this requirement as an example of things you should be doing!
And if you’re wondering how important it is to have systems and networks secured from the start, researchers back in 2004 found that an unpatched, unsecured Windows PC connected to the Internet would last 20 minutes on average before it was compromised. The same research was 40 minutes in 2003. It’s an old statistic, but if the time halved in a single year almost 20 years ago, I wonder what the timeframe would be now?
What else is expected for our business to comply?
To ensure that you are making the most out of your assets and maintaining best practices regarding security, you should also review configurations regularly. After all, when we talk about security, the threat landscape changes constantly, and vendors continuously add new functionality and security controls. So the last thing you want is a static configuration you haven’t updated in years. This may involve a manual process of reviewing configuration settings on a schedule, or when the manufacturer updates the product, you may discover the latest bells and whistles that may benefit your organisation or help improve your overall security posture. For some more established providers, such as Microsoft, you should take advantage of their tools to ensure you have configured everything correctly.
On a personal note, configuration reviews undertaken by an external third party can be a great way to identify any security gaps. Just ensure that the person/organisation undertaking the review has the relevant experience. Before you do pay anyone, however, make sure you do your homework to see if your existing provider offers free tooling to help you. For example, Microsoft provides a free 90-day Configuration analyser for protection policies in EOP and Microsoft Defender for Office 365, which will find and fix security policies for you, such as anti-spam, anti-malware and EOP anti-phishing policies. Just make sure you keep the results for your next ISO audit.
If you have any questions or need some advice on where to start, please reach out.
0 Comments