Configuration Management (CM) is a process of proposing, authorizing, and implementing system or software changes. Configuration Management is important for organizations because of system drift and in some cases regulations. System drift is where a system, over time, changes from the established baseline. Drifting from the established baseline can make supporting the systems harder and introduce security vulnerabilities.
Change authorization is part of the configuration management and is needed to keep systems in a known documented state. A change needs to be considered for system impact, including security and availability before it is approved. If a change is approved, not only should the change be implemented on the system, but documentation will need to be updated. This may include the Configuration Management Database (CMDB), operational procedures, system inventories, and/or other documents.
It is expected that your organization has a configuration management program that includes change management with a formalized, documented approval process.
A risk management program evaluates observed risks to your organization’s security.
Typically a risk management program will dictate that all factors generating risk are evaluated on a regular basis (e.g. monthly, quarterly, or annually) and that any issues which arise in between regular analysis are evaluated.
Risks are also classified into severities such as High, Medium, or Low. The program will also dictate how much time you expect issues to be addressed based on the severity level.
Finally, the risk management program should be documented and approved, and ultimately upheld, by the business owner or executive management such as the CEO.
For example, the lack of hard disk encryption on employee laptops could present a medium risk as the loss of a laptop would expose all information on that laptop to someone that finds it. Your risk management policy may dictate that medium risks are addressed within 90 days or the risk must be accepted by the system owner and the most senior security officer.
An approved risk management program ensures that a policy is in place to manage the overall risk of an organization and is well understood by key stakeholders in the business. Being approved conveys the program is somewhat mature and ensures management agrees how risk is managed.
Your organization has a risk management policy that has been approved by executive management. The risk management program should guide how risk is evaluated, how often it is evaluated, how risks are managed, and finally who in the organization is responsible for reviewing and accepting risk.