Title

Configuration management policies are available to the SA and the web administrator. (Cat III impact)

Discussion

A Configuration Management Policy and its associated procedures help to ensure the effective implementation of security controls requisite to the organizational goals of integrity, availability, and confidentiality by governing the change process, which is necessary to ensure that unapproved and malformed software, or unapproved configuration changes, are not introduced into the production environment. It should include, but may not be limited to, auditing change, the use of automated change controls, limiting change to authorized personnel with regard to direct changes to production software, and lists of approved or disapproved software.

Check Content

If an MOU or an SLA exists between a hosting agency and the information owner, those documents will address the requirement presented in this check. If the hosting agency is responsible for CM, it will provide the proof. If the information owner is responsible for CM, it will provide assurance and supporting information to the hosting agency. The reviewer will have access to this documentation and any supporting materials. The SA and or the web administrator should be in possession of or have access to the most recent Configuration Management Policy as developed by the organization. They should also be able to demonstrate policy compliance. Review the risk assessment, security plan, and any supplements necessary to verify that these procedures are documented. Required elements of CM: 1. An indication of who approves the changes to both administrative configuration changes and the software installed on the production web server. 2. A process that documents and audits web server configuration and web server software changes, approvals, and disapprovals. 3. A process or policy that addresses procedures with regard to what may or may not be configured, changed, or implemented. If a Change Management Policy does not exist, or compliance cannot be demonstrated, this is a finding.

Fix Text

Documented CM policies and procedures will be made available to the IAO, the SA, or the web administrator.

Additional Identifiers

Rule ID: SV-28772r1_rule

Vulnerability ID: V-23836

Group Title: Access to Configuration Management policies.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.