Do you have an implemented system configuration management process (e.g.,secure "gold" images, etc.)?
Explanation
At issue is whether you run a formal configuration management process, including secure baseline or "gold" images that keep systems built to a known, hardened standard.
A system configuration management process ensures that systems are deployed with secure, standardized settings and that these configurations remain consistent and controlled over time. A "gold image" is a master template for a system (like a server, workstation, or virtual machine) that contains pre-configured, hardened security settings, approved software, and proper configurations that comply with your security policies.
Why this matters in a security assessment:
- Consistency: Ensures all systems start from a known, secure state
- Efficiency: Reduces manual configuration errors during deployment
- Security baseline: Provides protection against common vulnerabilities by default
- Compliance: Helps meet regulatory requirements by enforcing standard configurations
- Change control: Makes unauthorized changes more visible and trackable
The assessor wants to know if you have a systematic approach to configuring systems rather than ad-hoc, manual configurations that might vary between deployments. They're looking for evidence that you're reducing security risks through standardization and automation.
Example Responses
Example Response 1
Yes, our organization implements a comprehensive system configuration management process We maintain secure gold images for all our server and workstation deployments using HashiCorp Packer to build standardized VM templates These images are hardened according to CIS benchmarks and include only necessary software components with secure default configurations We use Ansible for configuration management to ensure consistent application of security controls across all environments Our gold images are stored in a version-controlled repository, undergo security scanning before approval, and are updated quarterly or when critical security patches are released Changes to these images require security review and approval through our change management process.
Example Response 2
Yes, we have implemented a robust system configuration management process Our DevOps team maintains Docker container images and VM templates that serve as our secure baseline configurations These gold images are built using infrastructure-as-code principles with Terraform and are stored in our private artifact repository Each image undergoes automated security testing including vulnerability scanning and compliance checking against our security baseline We use GitOps workflows to manage configuration changes, requiring peer review and automated testing before deployment Our gold images are updated monthly with security patches, and all deviations from standard configurations require documented exceptions through our security exception process.
Example Response 3
No, we currently don't have a formal system configuration management process with secure gold images Our system administrators manually configure each server when deployed, following a general checklist of security settings While we try to maintain consistency, we recognize this approach is prone to human error and configuration drift over time We're planning to implement a more structured approach in the next quarter, including developing standardized images and adopting configuration management tools like Puppet to enforce consistent configurations In the meantime, we mitigate risks through post-deployment security scans and quarterly configuration reviews to identify and remediate security gaps.
Context
- Tab
- Organization
- Category
- Change Management
Related questions
- Will the institution be notified of major changes to your environment that could impact the institution's security posture?
- Does the system support client customizations from one release to another?
- Do you have a documented change management process?
- Does your change management process minimally include authorization, impact analysis, testing, and validation before moving changes to production?
- Does your change management process verify that all required third-party libraries and dependencies are still supported with each major change?
- Do you have policy and procedure, currently implemented, managing how critical patches are applied to all systems and applications?

