Critical Information Asset Inventory, Secure Configuration Management
MOD, HIGH
P1
No
IT assets and configurations are managed ineffectively due to the lack of a configuration management process.
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification.
Written, document configuration plan is available relevant to application systems.
No statewide control
Obtain Configuration management policy; configuration management plan; procedures addressing configuration management planning; security plan; other relevant documents or records and ascertain if:
(I)the organization develops, documents, and implements a configuration management plan for the information system that:
-addresses roles, responsibilities, and configuration management processes and procedures;
-defines the configuration items for the information system and when in the system development life cycle the configuration items are placed under configuration management; and
-establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the configuration of the configuration items.
