controls on the system documentation and the system itself, a good configuration management plan must be established.
Configuration management plans should contain the five following sections, at a minimum:
Executive Summary of the System;
Roles and Responsibilities;
Configuration Management Activities; and
The Executive Summary should mirror the same information provided about the system in the security plan. It should include: system identification, the responsible organization, and an introduction, including, purpose, scope and audience. By mirroring the security plan’s and CM plan’s system information, a consistency has been created, validating their existence with the system as a whole.
As with any system document and project it is important to identify Roles and Responsibilities. This reduces the risk of error and negligence. This section should clearly state who is responsible what parts of configuration management. Typically this can be broken down into three groups: the CM Management Team; the CM Organization; and specific CM responsibilities.
The CM Management group is responsible for the overall management of the business processes. This is typically senior management.
The CM Organization group is responsible for addressing standard procedures and practices, including tools.
Individual CM responsibilities outline exactly who is responsible for what tasks, such as opening change requests, version controlling, or approval for changes. This section should be very detailed to avoid confusion over functions.
The Communications section should describe in detail how the CM system reports, tracks and resolves change requests. This is quite often managed via automated tools.
Configuration Management activities should be clearly established and understandable. The activities can vary by organization and by tool, but they should all describe the configuration items under the projects control and what constitutes a valid change request. This section should also address the process for controlling versions, opening change requests, tracking changes, meeting schedules, implementation decisions, validation against security controls, and audits and reviews.
© SANS Institute 2004, Author retains full rights.
© SANS Institute 2004,
As part of the Information Security Reading Room
10 Author retains full rights.