IT Best Practices for Community Colleges Part 3: Configuration Management Donald Hester March 30, 2010 For audio call Toll Free 1-888-886-3951 and use PIN/code 133206
Housekeeping Maximize your CCC Confer window. Phone audio will be in presenter-only mode. Ask questions and make comments using the chat window.
Do not listen on both computer and phone. Adjusting Audio If you’re listening on your computer, adjust your volume using the speaker slider. If you’re listening over the phone, click on phone headset. Do not listen on both computer and phone.
Saving Files & Open/close Captions Save chat window with floppy disc icon Open/close captioning window with CC icon
Emoticons and Polling Raise hand and Emoticons Polling options
IT Best Practices for Community Colleges Part 3: Configuration Management Donald Hester
Configuration Management “The management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system.” National Information Systems Security Glossary
IT Standards Control Objectives for Information and related Technology (COBIT) Information Technology Infrastructure Library (ITIL) International Standards Organization (ISO) National Institute of Standards and Technology (NIST)
The facts 80% of IT systems outages are caused by operator and application errors.
High-Performance IT organizations Common Characteristics 1 admin for every 100 servers More planned work than unplanned work More staff early in lifecycle Collaboration Posture of compliance (IT standards) Culture of change management Understand causality Manage by facts
The missing pieces Configuration Management Change Management Release Management Incident Management Problem Management
Benefits of Configuration Management Good CM does not increase workload it decreases it Fewer Incidents Greater Return on Investment (ROI) Faster Recovery (MTTR) Improve IS quality Improve IT service
CM Lifecycle Configuration identification Configuration control Baseline, gold standard Configuration control Change management, change control Configuration status accounting Enforcement Configuration audits Testing
Configuration Identification Configuration Management Database (CMDB) A repository of information related to all the components of an information system Configuration files Group Policy settings Image files for operating systems Details about the important attributes and relationships between them
Policy Develop, disseminate, and review/update A documented configuration management policy Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
Baseline Develop, document, and maintain under configuration control, a current baseline configuration Images Builds CMDB Configuration files GPO (Group policy objects)
Baselines A place to start Modify based upon your needs Federal Desktop Core Configuration (FDCC) CIS Benchmarks Modify based upon your needs You may have different configurations for different workstations Compatibility issues Interoperability issues
Control Change Determine the types of changes to the information system that are configuration controlled Approve configuration-controlled changes Coordinate and provide oversight for configuration change control activities Document approved configuration-controlled changes
Impact Analysis Analyze changes to the information system to determine potential security impacts prior to change implementation Confidentiality Integrity Availability Interoperability Compatibility
Restrict changes to the system Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system Limit who can make changes This means no local admins Automate if possible
Least Functionality Configure the information system to provide only essential capabilities and specifically prohibit or restrict the use of functions, ports, protocols, and/or services If it is not needed why have it?
Inventory Develop, document, and maintain an inventory of information system components Accurately reflect the current system At a level of granularity deemed necessary
NIST There is no compulsory IT standard required for local governments The National Institute of Standards and Technology (NIST)encourages state, local and tribal governments to consider the use of these guidelines, as appropriate In adopting NIST standards the local government demonstrates due diligence
Resources Institute of Configuration Management NIST (FDCC) http://www.icmhq.com/ NIST (FDCC) http://nvd.nist.gov/fdcc/index.cfm Center for Internet Security (CIS) Benchmarks http://cisecurity.org/ IT Governance Institute (ITGI) http://www.itgi.org/
Q&A Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+ Maze & Associates @One / San Diego City College www.LearnSecurity.org http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 25
Evaluation Survey Link Help us improve our seminars by filing out a short online evaluation survey at: http://www.surveymonkey.com/s/10SpIT3
Join us in San Diego at the 2010 Online Teaching Conference “Engaging every online student in lean and green times.” June 16, 17, & 18 - San Diego City College Register now at http://otc10.org
IT Best Practices for Community Colleges Part 3: Configuration Management Thanks for attending For upcoming events and links to recently archived seminars, check the @ONE Web site at: http://onefortraining.org/