Change Management, Critical Information Asset Inventory, Secure Configuration Management
LOW, MOD, HIGH
P1
Yes
August 24, 2016
The Center for Internet Security (CIS) Benchmarks Level I standards shall be the baseline set of security controls for all Agency-owned information resources. Additional baseline controls, and changes to systems and controls, shall be managed through a configuration management system approved by the information resource owner.
Changes to systems and applications are executed inconsistently in the production environment due to ill-defined procedures.
The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
The organization uses configuration policies and procedure to manage the change lifecycle.
The state organization develops, documents, and maintains a current baseline configuration of the information system.
Obtain configuration management policy; procedures addressing the baseline configuration of the information system; configuration management plan; Federal Enterprise Architecture documentation; information system design documentation; information system architecture and configuration documentation; historical copies of baseline configurations; list of software programs not authorized to execute on the information system; other relevant documents or records and ascertain if:
(I)the organization develops and documents a baseline configuration of the information system that is consistent with the Federal Enterprise Architecture, shows relationships among information system components, and provides a well-defined and documented specification to which the information system is built.
(ii)the organization maintains the baseline configuration.
(iii)the organization documents deviations from the baseline configuration, in support of mission needs/objectives.
(iv) the organization develops and maintains a list of software programs not authorized to execute on the information system.
