Configuration management in information security

CONTENT

• Increasing complexity and threats
• Configuration management in the context of ISO 27001:2022
• Control 8.9 "Configuration management"
• Configuration management in information security - Conclusion
• DQS: Your contact for certified information security

Increasing complexity and threats

Incorrect settings and security configurations harbor incalculable risks for information security. In view of the increasing complexity of modern IT environments, configuration management - i.e. the ongoing and systematic definition, documentation, implementation, monitoring and review of security configurations - is becoming a challenging task that extends into the compliance management of an organization.

For an outsider, the IT infrastructure is a confusing web of applications, devices, network components and services, whether hosted on-prem or in a cloud. The latter in particular have increased dramatically during the coronavirus pandemic. For IT teams, however, configuring the increasing number of system components and continuously monitoring and adapting the configurations of the systems means a considerable amount of work, which often overwhelms employees. Without systematic configuration management, this can lead to a considerable security risk and the loss or misuse of data (including personal data).

After all, 81% of security managers in a German study from 2022 stated that vulnerabilities and unknown misconfigurations cause the biggest security problems in their infrastructures. And in the Pandemic Eleven, a study by the Cloud Security Alliance on the most serious vulnerabilities in cloud computing during the pandemic, misconfigurations are also in a prominent third place.

It is therefore a logical consequence of the developments of recent years to pay more attention to configuration management in information technology, for example in the context of unauthorized access. It is therefore right that the new ISO/IEC 27001:2022 has dedicated a separate information security control to this topic.

Configuration management in the context of ISO 27001:2022

The restructured Annex A of ISO 27001 from 2022 contains 93 information security measures (controls), including 11 new ones. With the update, the controls are now organized thematically in four sections

• Organizational measures
• Personal measures
• Physical measures
• Technological measures

Secure configuration management in information technology falls under the subject area of technological or technical measures and is listed in Appendix A under 8.9. It is one of the preventive tools that support all three protection goals of information security (confidentiality, integrity and availability).

Standard templates

The definition of standard templates helps organizations to systematize their configuration management. The following basic aspects should be taken into account in this development:

• Publicly available guidance, for example from vendors or independent security bodies
• Required protection levels to ensure adequate security
• Support for internal information security policy, topic-specific guidelines, standards and other security requirements
• Feasibility and applicability of configurations in the context of the organization

The developed standard templates should be reviewed and updated regularly, especially when new threats or vulnerabilities need to be addressed, or when new software or hardware versions are introduced into the organization.

There are also a number of other points to consider when creating the templates. These all help to prevent unauthorized or incorrect changes to configurations:

• Minimizing the number of identities with privileged or administrative access rights
• Deactivating unnecessary, unused or insecure identities
• Deactivating or restricting functions and services that are not required
• Restricting access to powerful utilities and host parameter settings
• Synchronization of clocks
• Changing the manufacturer's default authentication data and default passwords immediately after installation and checking important security-relevant parameters
• Calling timeout facilities that automatically log off computer devices after a certain period of inactivity
• Check whether the license requirements are met

Management and monitoring of configurations

All configurations should be recorded and changes reliably logged in order to rule out misconfigurations after an incident. This information must be stored securely, for example in configuration databases or templates.

All changes are made in accordance with control 8.32 "Change control", which describes a guideline for changes to information processing guidelines and information systems. The configuration records must contain all the information required to track both the status of an IT system or asset and any changes made to it at any time. This includes, for example, the following information

• Current information about the asset in question - Who is the owner or point of contact?
• Date of the last configuration change
• Version of the configuration template
• Connections and relationships to the configurations of other assets

A comprehensive set of system management tools - such as maintenance programs, remote support, enterprise management tools and backup and restore software - helps to monitor and regularly check configurations. With the help of these tools, managers can verify configuration settings, evaluate password strengths and assess activities performed.

Actual states can also be compared with the defined target templates and appropriate responses can be initiated in the event of deviations - either by automatically enforcing the defined target configuration or by manually analyzing the deviation and subsequent corrective measures. Automation, for example via infrastructure as code (programmable infrastructure), allows security configurations in virtualized environments and cloud computing to be managed efficiently and securely.

Configuration management in information security - a summary

Configuration management in information security is an important security tool and makes a lasting contribution to significantly reducing security gaps caused by misconfigurations. Its systematic approach relieves the burden on internal teams and contributes to efficient IT operations as well as to the hardening of systems and the availability of information and confidential data. The positive effects on personal data protection, for example, are also obvious.

Configuration management can also be integrated into asset management processes and associated tools. The central management of security settings makes it possible to react quickly to new threats and vulnerabilities in the availability of systems and data protection, thus helping to minimize potential attack surfaces in systems. The new information security control 8.9 from ISO 27001 provides an important security contribution for organizations and their management.

This added value must be implemented by companies and organizations. The requirements from control 8.9 must be compared with the current status and further optimized via a controlled change process. With over 35 years of audit and certification expertise, we are your ideal partner and can provide you with advice and support on the subject of information security.

What does the update mean for your certification?

ISO/IEC 27001:2022 was published on October 25, 2022.

This results in the following deadlines and periods for the transition for users

Last date for initial/recertification audits under the "old" ISO 27001

• After April 30, 2024, DQS will only conduct initial and recertification audits in accordance with the new ISO/IEC 27001:2022 standard

Conversion of all existing certificates according to the "old" ISO/IEC 27001:2013 to the new 2022 version

• A 3-year transition period applies from October 31, 2022
• certificates issued in accordance with ISO/IEC 27001:2013 or DIN EN ISO/IEC 27001:2017 are valid until October 31, 2025 at the latest or must be withdrawn on this date

ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protecti on - Information security management systems - Requirements

DQS: Simply leveraging Security

Organizations still have some time to make the transition to the new version of ISO/IEC 27001. The current certificates based on the old standard will lose their validity on October 31, 2025. Nevertheless, they are well advised to deal with the changed requirements for an information security management system (ISMS) at an early stage, initiate suitable change processes and implement them accordingly.

As experts in audits and certifications with over three decades of experience, we can support you in implementing the new ISO 27001:2022. Find out from our many experienced auditors about the most important changes and their relevance for your company - and put your trust in our expertise. We look forward to hearing from you.

Trust and expertise

Our articles and whitepapers are written exclusively by our standards experts or long-standing auditors. If you have any questions about the text content or our services to our author, please contact us.