From National Institute of Standards and Technology | Nov 29, 2010
An information system is composed of many components that can be interconnected in a
multitude of arrangements to meet a variety of business, mission and information
security needs. How these information system components are networked, configured and
managed is critical in providing adequate information security and supporting an
organization's risk management process.
An information system is typically in a constant state of change in response to new
or enhanced hardware and software capability, patches for correcting errors to existing
components, new security threats and changing business functions. Implementing
information system changes almost always results in some adjustment to the system
baseline configuration. To ensure that the required adjustments to the system
configuration do not adversely affect the information system security, a well-defined
security configuration management process is needed.
This security configuration management publication is intended to provide guidelines
for organizations responsible for managing and administrating the security of federal
information system computing environments. For organizations responsible for the
security of information processed, stored and transmitted by external or
service-oriented computing environments (e.g., cloud computing environment providers),
the security configuration management concepts and principles presented here can aid
organizations in establishing assurance requirements for suppliers providing external
computing services.
The attached Zip file includes:
- Intro Page.doc
- Cover Sheet and Terms.doc
- Guide for Security Configuration Management of Information Systems.pdf
