CHNG-16

Do you have a systems management and configuration strategy that encompasses servers, appliances, cloud services, applications, and mobile devices (company and employee owned)?

Explanation

This question is asking whether your organization has a comprehensive strategy for managing and configuring all of your technology assets across your entire environment. A systems management and configuration strategy refers to the documented approach, policies, procedures, and tools used to maintain, update, and secure all technology components. The question specifically asks about multiple types of assets: - Servers (physical and virtual) - Appliances (hardware devices like firewalls, routers) - Cloud services (AWS, Azure, SaaS applications) - Applications (both internally developed and third-party) - Mobile devices (both company-owned and employee-owned/BYOD) Security assessors ask this question because inconsistent or ad-hoc management of systems creates security vulnerabilities. Without a comprehensive strategy, organizations risk: - Configuration drift (systems becoming increasingly different over time) - Unpatched vulnerabilities - Inconsistent security controls - Shadow IT (unmanaged/unapproved technology) - Difficulty responding to incidents A good answer should describe your formal approach to systems management, including: 1. How configurations are standardized and documented 2. How changes are controlled and tracked 3. What tools are used for automation and monitoring 4. How different asset types are handled (especially BYOD) 5. How compliance with the strategy is enforced Even if your strategy isn't perfect or comprehensive yet, be honest about what you do have while acknowledging gaps you're working to address.

Example Responses

Example Response 1

Yes, we maintain a comprehensive systems management and configuration strategy that covers our entire technology environment For servers and cloud infrastructure, we use infrastructure-as-code (Terraform and AWS CloudFormation) with version-controlled templates stored in our Git repository All configuration changes go through our CI/CD pipeline with automated testing For applications, we use Docker containers with standardized base images and dependency management Our cloud services are managed through centralized AWS Organizations with guardrails and SCPs For endpoints and mobile devices, we use Microsoft Intune for MDM/MAM to enforce security policies on both company and employee-owned devices All BYOD devices must enroll in our MDM solution to access company resources Network appliances are managed through our network operations team using Cisco DNA Center for automation and compliance monitoring All systems are monitored for configuration drift using automated tools, and we conduct quarterly compliance audits against our baselines.

Example Response 2

Yes, our organization has implemented a multi-layered systems management and configuration strategy For server infrastructure, we use Ansible for configuration management with hardened baselines based on CIS benchmarks Our cloud environments in Azure and GCP are managed through a combination of Azure Policy and GCP Organization Policies to enforce security guardrails For applications, we maintain a software catalog in ServiceNow and use package managers with integrity verification Mobile devices are managed differently based on ownership: company-owned devices use a full MDM solution (MobileIron), while employee-owned devices use a containerization approach with separate work profiles and conditional access policies Network appliances follow change management procedures with pre-approved templates and peer review All configuration changes require tickets in our ITSM system and go through our change advisory board for risk assessment We use automated scanning tools to verify configurations against our security baselines weekly.

Example Response 3

No, we do not currently have a comprehensive systems management and configuration strategy that covers all the mentioned technology assets Our server infrastructure is managed through manual processes with some basic documentation, and we use standard images for new deployments For cloud services, each department manages their own accounts with limited central oversight Our applications are updated on an as-needed basis without a formal process For mobile devices, we have basic security requirements documented but no technical enforcement for employee-owned devices We recognize this as a gap in our security program and are currently developing a more comprehensive strategy In the next six months, we plan to implement a configuration management database (CMDB), formalize our change management processes, and deploy an MDM solution to better manage both company and employee-owned mobile devices.

Context

Tab
Organization
Category
Change Management

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron