Part of managing system compliance is ensuring that each system meets a minimum standard. Beyond this relatively straightforward component of the process, almost every compliance process includes other ongoing tasks, including risk assessment and configuration management. 

What is configuration management, exactly? These compliance frameworks will often refer to it, but implementing a management policy is entirely different. 

System Governance and Configuration Management

Configuration management can most accurately fall under the umbrella of governance. Large IT systems will typically have dozens, if not hundreds, of components, from hardware to software, each with their own unique configuration requirements. 

The challenge here is that each component potentially faces significant security risk due to a lack of proper configuration. Some of the more common threats against these components include:

• Default Settings: Platforms and software that rely on user authentication will often come packaged with administrative credentials set as easy-to-remember defaults–this way, the user can get into the system, make changes, and set up their accounts. Users may fail to change these default settings, meaning that hackers who know this information can spray and pray across the system ecosystem in hopes that someone left default settings intact, giving them system access. 
• Phishing Vulnerabilities: If configurations aren’t changed to support your organization’s unique endpoint security, these endpoints may remain vulnerable to phishing scams. 
• Compliance-Related Protections: Whether setting up multifactor authentication (MFA), authentication security, or port access restriction, configuration management helps your company address the larger security environment across all of our overall responsibilities. 

Because so much of compliance and security rely on the simple practice of configuring systems based on requirements, many companies will see this as a straightforward process. However, managing correct security standards in practice is a challenge across the hundreds of interacting components (including third-party services and vendor applications). 

It’s critical, then, to think of configuration management from these perspectives:

• Policy: Configuration management is essentially a form of governance. That is, it’s crucial that your organization can see the scope and scale of your IT systems and have a clear strategy for how to gauge the effectiveness and timeliness of your configuration settings, how they interact with one another, and how new threats and vulnerabilities affect their status. Governance policies define the larger processes and policies in place to observe, implement, and change configuration settings as needed to maintain the system’s protection. 
• Code and Automation: Managing configurations across your IT systems isn’t just about changing some files or clicking buttons on a web dashboard. In many cases, it’s about rapidly implementing changes across vast systems, often in response to the evolving contexts around security, data, and compliance standards. Scripts and automation help organizations deploy properly-configured hardware, software, or endpoint devices (like employee workstations) while applying the latest security updates or patches as defined by configuration policy. 
• Monitoring: The challenging part of configuration management is that most systems will not just work through flat “install the latest version of x” approaches. Instead, your IT administration will have specific patches or updates that play well with the software and hardware in that system. For this reason, many companies will utilize configuration monitoring to determine that all systems maintain the correct version of patches or updates. Furthermore, configuration monitoring can help security admins track changes to configuration settings due to attacks or internal mistakes that would open the system to hacks.

So, it’s clear that configuration management is a much larger process than just set-it-and-forget-it system settings. Instead, it’s a comprehensive approach to configurations that promotes interoperability and security without compromising usability or other critical parts of compliance (integrity and accessibility, for example). 

Some of the strategic approaches to configuration management are:

• Imperative: A rules-based approach that uses instructions to align processes with configurations–how the system and governance policies can implement specific instructions. 
• Declarative: This involves declaring an ideal state for the system that includes system-wide configuration settings, leaving the implementation of specific systems to engineers, data scientists, administrators and automated software. 

How Does Configuration Management Work?

Configuration management is a culture, an organization-wide approach to ensuring security and compliance through properly configured and secured technology and processes. 

This culture starts from the top with management and moves its way down through a standard (although dynamic) hierarchy:

• Management: At this stage, configuration management and processes must be planned, resourced, studied, and rooted in a hierarchy of roles and responsibilities. 
• Identification: Once the larger goals and needs of the organization and its systems are decided upon, more specific identification of the kinds of configurations and management processes are conceived, including the allocation of resources to specific management practices, the baseline requirements based on regulations or business needs, or documentation and marking of configuration update and upgrade paths. 
• Controls: Administration implements, oversees, and documents the actual deployment of configuration governance throughout the enterprise. This can include organizing automation and software, including configuration settings on large cloud-based content management systems, or providing ongoing documentation on implementing these controls. 
• Status Accounting: The organization should have a way to authenticate and report on the effectiveness of their implementations, including verification of proper implementation based on approved configuration standards. 
• Monitoring and Audits: Your organization should always have procedures to audit the effectiveness of configurations against security threats. This would include monitoring any changes to configuration settings, potential breaches of the system, and any potential technology innovations that could change the path of configuration governance. 

Integrate Configuration Management with Compliance with Continuum GRC

In many cases, the difference between a secure system and a data breach can come down to whether or not someone remembered to change a default password in a SaaS tool. Configuration management is a central part of compliance… Not only is it spelled out in several frameworks like HIPAA and PCI DSS, but it also serves as the bulwark for proper security. 

Continuum GRC provides compliance and risk-based systems management with cloud-based tools that also include comprehensive configuration management controls. 

Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

• FedRAMP
• StateRAMP
• NIST 800-53
• DFARS NIST 800-171
• CMMC
• SOC 1, SOC 2, SOC 3
• HIPAA
• PCI DSS 4.0
• IRS 1075
• COSO SOX
• ISO 27000 Series
• ISO 9000 Series

And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.

Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.