Do you have a systems management and configuration strategy that encompasses servers, appliances, cloud services, applications, and mobile devices (company and employee owned)?
Explanation
Assessors want assurance that you manage and configure your entire technology estate consistently, spanning servers, appliances, cloud services, applications, and both company- and employee-owned mobile devices. A systems management and configuration strategy refers to the documented approach, policies, procedures, and tools used to maintain, update, and secure all technology components.
The question specifically asks about multiple types of assets:
- Servers (physical and virtual)
- Appliances (hardware devices like firewalls, routers)
- Cloud services (AWS, Azure, SaaS applications)
- Applications (both internally developed and third-party)
- Mobile devices (both company-owned and employee-owned/BYOD)
Security assessors ask this question because inconsistent or ad-hoc management of systems creates security vulnerabilities. Without a comprehensive strategy, organizations risk:
- Configuration drift (systems becoming increasingly different over time)
- Unpatched vulnerabilities
- Inconsistent security controls
- Shadow IT (unmanaged/unapproved technology)
- Difficulty responding to incidents
A good answer should describe your formal approach to systems management, including:
- How configurations are standardized and documented
- How changes are controlled and tracked
- What tools are used for automation and monitoring
- How different asset types are handled (especially BYOD)
- How compliance with the strategy is enforced
Even if your strategy isn't perfect or comprehensive yet, be honest about what you do have while acknowledging gaps you're working to address.
Example Responses
Example Response 1
Yes, we maintain a comprehensive systems management and configuration strategy that covers our entire technology environment For servers and cloud infrastructure, we use infrastructure-as-code (Terraform and AWS CloudFormation) with version-controlled templates stored in our Git repository All configuration changes go through our CI/CD pipeline with automated testing For applications, we use Docker containers with standardized base images and dependency management Our cloud services are managed through centralized AWS Organizations with guardrails and SCPs For endpoints and mobile devices, we use Microsoft Intune for MDM/MAM to enforce security policies on both company and employee-owned devices All BYOD devices must enroll in our MDM solution to access company resources Network appliances are managed through our network operations team using Cisco DNA Center for automation and compliance monitoring All systems are monitored for configuration drift using automated tools, and we conduct quarterly compliance audits against our baselines.
Example Response 2
Yes, our organization has implemented a multi-layered systems management and configuration strategy For server infrastructure, we use Ansible for configuration management with hardened baselines based on CIS benchmarks Our cloud environments in Azure and GCP are managed through a combination of Azure Policy and GCP Organization Policies to enforce security guardrails For applications, we maintain a software catalog in ServiceNow and use package managers with integrity verification Mobile devices are managed differently based on ownership: company-owned devices use a full MDM solution (MobileIron), while employee-owned devices use a containerization approach with separate work profiles and conditional access policies Network appliances follow change management procedures with pre-approved templates and peer review All configuration changes require tickets in our ITSM system and go through our change advisory board for risk assessment We use automated scanning tools to verify configurations against our security baselines weekly.
Example Response 3
No, we do not currently have a comprehensive systems management and configuration strategy that covers all the mentioned technology assets Our server infrastructure is managed through manual processes with some basic documentation, and we use standard images for new deployments For cloud services, each department manages their own accounts with limited central oversight Our applications are updated on an as-needed basis without a formal process For mobile devices, we have basic security requirements documented but no technical enforcement for employee-owned devices We recognize this as a gap in our security program and are currently developing a more comprehensive strategy In the next six months, we plan to implement a configuration management database (CMDB), formalize our change management processes, and deploy an MDM solution to better manage both company and employee-owned mobile devices.
Context
- Tab
- Organization
- Category
- Change Management
Related questions
- Will the institution be notified of major changes to your environment that could impact the institution's security posture?
- Does the system support client customizations from one release to another?
- Do you have an implemented system configuration management process (e.g.,secure "gold" images, etc.)?
- Do you have a documented change management process?
- Does your change management process minimally include authorization, impact analysis, testing, and validation before moving changes to production?
- Does your change management process verify that all required third-party libraries and dependencies are still supported with each major change?

