5.4: Deploy System Configuration Management Tools
Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Applications |
Protect |
2, 3 |
Dependencies
Sub-control 1.4: Maintain Detailed Asset Inventory
Sub-control 2.4: Track Software Inventory Information
Sub-control 5.1: Establish Secure Configurations
Inputs
The organization’s configuration monitoring system
The list of endpoints
The inventory and mappings of secure configuration policy(ies) to the list of endpoints
The organization’s approved configuration scanning interval (at least weekly)
Assumptions
A timestamp “t” is defined as the time of a given configuration assessment
A subsequent assessment, following the approved scanning interval (Input 4), is noted as “t+1”
Operations
For each endpoint, obtain the configuration assessment results using Input 1. Note this as M1(t).
Following the time period specified by Input 4, re-assess to obtain a comparative assessment result. Note this as M1(t+1)
Assumptions
The assumption is that remediation/redeployment of configuration settings is occurring based on the improvement of scores over time and subsequent assessments.
Measures
M1(t) = (For each endpoint) Count of non-compliant recommendations resulting from Operation 1
M1(t+1) = (For each endpoint) Count of non-compliant recommendations resulting from Operation 2
M2 = (For each endpoint) Count of recommendations assessed
M3 = The number of endpoints
M4 = List of non-compliant endpoints resulting from Operation 1
M5 = List of non-compliant endpoints resulting from Operation 2
Metrics
Initial Non-Compliance
Metric |
The ratio of non-compliant recommendations at time “t”, to the total recommendations
assessed.
|
Calculation |
|
Subsequent Non-Compliance
Metric |
The ratio of non-compliant recommendations at time “t+1” ()
|
Calculation |
|
Overall Compliance
Metric |
What is the average overall compliance for all assessed endpoints at time “t”
|
Calculation |
|