3.4.1 has a weight of -5 points

(Configuration Management Family) 1/9

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

Video Explanation :

Example of Sysytem Security Plan (SSP):

    1. Defined Baseline Configurations: Documented and formally reviewed specifications for system configurations. Included details such as hardware, software, firmware, and documentation.
    2. Established Baseline Configuration Reviews: Conducted reviews to agree upon and document baseline configurations. Involved relevant stakeholders and ensured consensus on specifications.
    3. Maintained System Component Inventories: Created centralized inventories of system components. Included information such as hardware specifications, software licenses, and version numbers.
    4. Updated Baseline Configurations: Reviewed and updated baseline configurations as systems changed over time. Considered security risks and deviations from established baselines.
    5. Ensured Component Accountability: Included system-specific information in inventories for proper component accountability. Captured details like system association, system owner, device type, model, serial number, and physical location.
    6. Aligned with Enterprise Architecture: Ensured baseline configurations reflected the current enterprise architecture. Maintained consistency with the overall system architecture and network topology.
    7. Followed Security-Focused Configuration Management: Referred to guidance provided in SP 800-128 for security-focused configuration management. Implemented recommended practices to enhance system security.
    8. Conducted Regular Audits: Performed periodic audits to validate the accuracy and completeness of baseline configurations and inventories. Identified and addressed any discrepancies or non-compliance issues.
    9. Documented Changes: Documented any changes made to baseline configurations. Recorded the reasons for changes, security risks addressed, and deviations from the established baseline.
    10. Ensured Training and Awareness: Provided training and awareness programs to relevant personnel regarding the importance of baseline configurations and inventories. Educated employees on their role in maintaining and adhering to established baselines.

     

     

    Example of Plan of Action and Milestones ( POA & M):

    Milestone 1: Definition of Baseline Configurations

    Task 1: Document system specifications by September 30, 2023.                              

    Task 2: Conduct formal reviews and reach consensus on baseline configurations by October 31, 2023.

     

    Milestone 2: Establishment of Baseline Configuration Reviews

    Task 1: Schedule and conduct baseline configuration reviews with stakeholders by November 30, 2023.                                                                                                         Task 2: Document and maintain records of agreed-upon baseline configurations by December 31, 2023.

     

    Milestone 3: Maintenance of System Component Inventories

    Task 1: Create centralized inventories of system components by January 31, 2024.   

    Task 2: Regularly update the inventories to reflect changes by the last day of each quarter.

     

    Milestone 4: Updating Baseline Configurations

    Task 1: Review and update baseline configurations based on changes by the last day of each quarter.                                                                                                                  Task 2: Consider security risks and deviations from baselines during updates.

     

    Milestone 5: Ensuring Component Accountability

    Task 1: Include system-specific information in inventories by February 28, 2024.          

    Task 2: Capture details like system association, owner, type, model, and serial number by March 31, 2024.

     

    Milestone 6: Alignment with Enterprise Architecture

    Task 1: Ensure baseline configurations reflect the current company architecture by April 30, 2024.                                                                                                                               Task 2: Maintain consistency with system architecture and network topology.

     

    Milestone 7: Security-Focused Configuration Management

    Task 1: Refer to guidance for security-focused configuration management by  May 31, 2024.                                                                                                                                  Task 2: Implement recommended practices.

     

    Milestone 8: Conducting Regular Audits

    Task 1: Perform the first audit to validate baseline configurations and inventories by June 30, 2024.                                                                                                                               Task 2: Regularly conduct audits to identify discrepancies on a quarterly basis.

     

    Milestone 9: Documentation of Changes

    Task 1: Document changes made to baseline configurations promptly after each change.                                                                                                                                Task 2: Record reasons for changes and deviations from the baseline.

     

    Milestone 10: Training and Awareness

    Task 1: Conduct training programs on baseline configurations and inventories by  July 31, 2024.                                                                                                                           Task 2: Provide regular refresher training and awareness sessions on an annual basis.

    Please adjust the target dates according to your organization’s specific timeline and priorities. Regularly review and update baseline configurations and inventories to ensure compliance and adapt to changes in systems and security requirements.

     



    Helpful Links:

    Network Visualization Solutions:

    Note: This compilation relies on publicly accessible data and may include websites from vendors that cater to medium and large enterprises. It’s advisable for readers to conduct independent research to find the best match for their particular organizational requirements.

     

    Spiceworks

    • Website: www.spiceworks.com
    • Description: Spiceworks offers a free suite of tools including network mapping, inventory, monitoring, and troubleshooting functionalities.
    • Pricing: Free.
    • Highlight: Community-driven with a rich feature set for small to medium-sized businesses.
    • Limitation: May lack the depth required for larger or more complex networks.

    Lansweeper

    • Website: www.lansweeper.com
    • Description: Lansweeper is an agentless IT asset management solution that allows you to scan and manage all network devices.
    • Pricing: Free for up to 100 assets; tiered pricing for more extensive requirements.
    • Highlight: Integrates with various platforms and offers extensive custom reporting.
    • Limitation: Some users may find the user interface to be less intuitive.

    Network Detective

    • Website: www.rapidfiretools.com
    • Description: Network Detective is a tool primarily used by MSPs for IT assessment and documentation.
    • Pricing: Subscription-based pricing model, with various packages available.
    • Highlight: Strong focus on security and compliance reporting.
    • Limitation: May not be suitable for smaller organizations due to complexity.

    Cisco Network Assistant

    • Website: www.cisco.com
    • Overview: Renowned globally, Cisco offers complimentary network mapping for up to 80 devices.
    • Price: Free.
    • Opinion: Highly practical for Cisco networks but limited to Cisco products.

    10-Strike LANState

    • Website: www.10-strike.com
    • Overview: Focuses on network mapping and host monitoring.
    • Price: $124.95 for 50 hosts (one-time license).
    • Opinion: Suitable for basic needs but offers limited advanced features.

    Intermapper by HelpSystems

    • Website: www.helpsystems.com
    • Overview: Offers both free and paid robust network monitoring.
    • Price: Free for up to five devices; custom pricing thereafter.
    • Opinion: Affordable but could benefit from UI modernization.

    OpManager by ManageEngine

    • Website: www.manageengine.com
    • Overview: Network mapping solutions.
    • Price: Free for up to three devices; custom pricing afterward.
    • Opinion: Comprehensive but might be challenging due to technical jargon.

    N‑able™ N-central®

    • Website: www.n-able.com
    • Overview: Visibility and network mapping targeted at service providers.
    • Price: Commercial models vary (undisclosed pricing).
    • Opinion: Offers dynamic visualizations but may be demanding to learn.

      Network Olympus

      • Website: www.network-olympus.com
      • Overview: For network monitoring, topology mapping, and uptime improvement.
      • Price: From $90 for 25 devices.
      • Opinion: Feature-rich but confined to network mapping.

      Nmap

      • Website: www.nmap.org
      • Overview: Open-source solution with community support.
      • Price: Free.
      • Opinion: Flexible and powerful but requires technical knowledge.

      SolarWinds® Network Topology Mapper

      • Website: www.solarwinds.com
      • Overview: For visualizing intricate networks.
      • Price: Starting at $1,570.
      • Opinion: Excellent for complex networks but time-consuming map building.

      Progress WhatsUp Gold’s Network Mapping Tool

      • Website: www.whatsupgold.com
      • Overview: For mid-sized and large businesses.
      • Price: Starts at $2,740 for 25 devices annually.
      • Opinion: Offers customization but involves a steep learning curve.
        RELEVANT INFORMATION:

        Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system

        components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration. Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. [SP 800-128] provides guidance on security-focused configuration management.



        Resources to consider:

        Security Policy Document:

        This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

        Asset Inventory and Access Control Sheet:

        Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

        User Account Management Log:

        Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

        Password and Multi-Factor Authentication Policy:

        Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

        Process and Script Accountability Log:

        Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

        Device Access Control and VPN Policy:

        Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

        Access Control Review and Monitoring Schedule:

        Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

        User Training and Awareness Materials:

        Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.