CHNG-03

Do you have an implemented system configuration management process (e.g.,secure "gold" images, etc.)?

Explanation

This question is asking whether your organization has a formalized process for managing system configurations, particularly focusing on whether you create and maintain secure baseline configurations (often called "gold images") for your systems. A system configuration management process ensures that systems are deployed with secure, standardized settings and that these configurations remain consistent and controlled over time. A "gold image" is a master template for a system (like a server, workstation, or virtual machine) that contains pre-configured, hardened security settings, approved software, and proper configurations that comply with your security policies. Why this matters in a security assessment: 1. Consistency: Ensures all systems start from a known, secure state 2. Efficiency: Reduces manual configuration errors during deployment 3. Security baseline: Provides protection against common vulnerabilities by default 4. Compliance: Helps meet regulatory requirements by enforcing standard configurations 5. Change control: Makes unauthorized changes more visible and trackable The assessor wants to know if you have a systematic approach to configuring systems rather than ad-hoc, manual configurations that might vary between deployments. They're looking for evidence that you're reducing security risks through standardization and automation.

Example Responses

Example Response 1

Yes, our organization implements a comprehensive system configuration management process We maintain secure gold images for all our server and workstation deployments using HashiCorp Packer to build standardized VM templates These images are hardened according to CIS benchmarks and include only necessary software components with secure default configurations We use Ansible for configuration management to ensure consistent application of security controls across all environments Our gold images are stored in a version-controlled repository, undergo security scanning before approval, and are updated quarterly or when critical security patches are released Changes to these images require security review and approval through our change management process.

Example Response 2

Yes, we have implemented a robust system configuration management process Our DevOps team maintains Docker container images and VM templates that serve as our secure baseline configurations These gold images are built using infrastructure-as-code principles with Terraform and are stored in our private artifact repository Each image undergoes automated security testing including vulnerability scanning and compliance checking against our security baseline We use GitOps workflows to manage configuration changes, requiring peer review and automated testing before deployment Our gold images are updated monthly with security patches, and all deviations from standard configurations require documented exceptions through our security exception process.

Example Response 3

No, we currently don't have a formal system configuration management process with secure gold images Our system administrators manually configure each server when deployed, following a general checklist of security settings While we try to maintain consistency, we recognize this approach is prone to human error and configuration drift over time We're planning to implement a more structured approach in the next quarter, including developing standardized images and adopting configuration management tools like Puppet to enforce consistent configurations In the meantime, we mitigate risks through post-deployment security scans and quarterly configuration reviews to identify and remediate security gaps.

Context

Tab: Organization
Category: Change Management