Example of configuration management plan

MIkeRKaplan
MIkeRKaplan used Ask the Experts™
on
I am looking for examples of a configuration management plan that describes baseline security/applications/programs for workstations and servers. I have found lots of information on how to do this in a large company by using lots of people to hold lots of meetings and write lots of papers. I only have me. I'm looking for some generic example of what this would look like. Maybe it's writer's block. Key words would be NIST and cyber security.
I'm hoping you have come across something like this in the past.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
There is the NIST Guide for Security-Focused Configuration Mangement of Information Systems:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-128.pdf
NIST says:  
To ensure
that the required adjustments to the system configuration do not adversely affect the security of the
system or the organization from operation of the system, a well-defined configuration management
process that integrates information security is needed.

Now, I rather imagine that you've seen this.  

I do understand your situation.
So, as a first step, I'd say to read section 2.2 with an eye toward "what is the real objective here?" and "how might I be able to say HOW the objective is being met?" as compared with how they might imply the objective WOULD BE met.

I note that *you* have every role listed on page 12 and 14 all by yourself.

You might well consider what they say about SecCM policy and translate that into your situation as best possible.
While it *is* hard work, it may be useful to say "here is how I'm doing this".
For example, if testing is an ingredient then instead of skipping over it, you might incorporate some method of testing that's suitable.

It's silly to have a "review committee" made of multiple people and roles if there is only a committee of ONE.
Taking this as an example, don't avoid things you don't like on first reading.  Likewise don't embrace things that are silly.  
Rather *address* the objective in a suitable way.
The objective of a review committee might mostly be to run through a suitable checklist - which YOU can do.
Consider creating a checklist that encompasses many of the paragraph headings in the NIST document.

Be knowledgeable.
Be confident.
Be comprehensive.  

You may have the objective of being as secure as humanly possible with one guy.
You may have the objective of passing the audit.
Re: the latter, you may start by being more brief than you think you can get away with.
That depends on your objective - whether it is to "check off the box" or to "be as good as you know how to be".
Make it all suitable for your own situation.
The thought and effort that goes into it should carry weight with auditors.

Once audited, you'll have *some* idea what they are going to want to see - in the real world.
I've had them tell me: Oh!  We didn't expect you to do all that!!  
I've had them tell me: Why is this little nit-picking fact that shows in the SIEM data appearing?
Only time will tell.

Here's another reference [url
]https://nvd.nist.gov/800-53/Rev4/family/Configuration%20Management[/url]
Thank you for detailed comment. It is very insightful. I wanted to look over what you had written and see if I had any questions. You have given me a perspective I didn't have before. It's still a tall order for me to tackle, but I have a better focus on what I'm looking at and what I will produce.
 I couldn't do this without you! This has the most wisdom in one comment I have ever seen.
MikeRKaplan:  It was my pleasure to help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial