3.4 CONFIGURATION MANAGEMENT
Establish and enforce security configuration settings for information technology products employed in organizational systems.
Configuration settings are the set of parameters that can be changed in hardware software or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers servers workstations input and output devices (e.g. scanners copiers and printers) network components (e.g. firewalls routers gateways voice and data switches wireless access points network appliances sensors) operating systems middleware and applications.Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account file directory permission settings; and settings for functions ports protocols and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline.Common secure configurations (also referred to as security configuration checklists lockdown and hardening guides security reference guides security technical implementation guides) provide recognized standardized and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers manufacturers vendors consortia academia industry federal agencies and other organizations in the public and private sectors.[SP 800-70] and [SP 800-128] provide guidance on security configuration settings
What is a Cybersecurity Compliance Framework?
You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.
With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.
The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:
- CMMC v2
- NERC CIP-002 through CIP-014 Revision 6
- NIST 800-171
- NIST 800-172
- PCI (Payment Card Industry Security Standard)
- SOC 2
- NIST 800-53
- NIST SP800-161 Supply Chain Risk Management
- CIS Framework Controls V8