Donald Hester March 30, 2010 For audio call Toll Free and use PIN/code IT Best Practices for Community Colleges Part 3: Configuration Management

Maximize your CCC Confer window. Phone audio will be in presenter-only mode. Ask questions and make comments using the chat window. Housekeeping

Adjusting Audio 1)If youre listening on your computer, adjust your volume using the speaker slider. 2)If youre listening over the phone, click on phone headset. Do not listen on both computer and phone.

Saving Files & Open/close Captions 1.Save chat window with floppy disc icon 2.Open/close captioning window with CC icon

Emoticons and Polling 1)Raise hand and Emoticons 2)Polling options

Donald Hester IT Best Practices for Community Colleges Part 3: Configuration Management

The management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system. National Information Systems Security Glossary 7

Control Objectives for Information and related Technology (COBIT) Information Technology Infrastructure Library (ITIL) International Standards Organization (ISO) National Institute of Standards and Technology (NIST) 8

80% of IT systems outages are caused by operator and application errors.

1 admin for every 100 servers More planned work than unplanned work More staff early in lifecycle Collaboration Posture of compliance (IT standards) Culture of change management Understand causality Manage by facts

Configuration Management Change Management Release Management Incident Management Problem Management

Benefits of Configuration Management Good CM does not increase workload it decreases it Fewer Incidents Greater Return on Investment (ROI) Faster Recovery (MTTR) Improve IS quality Improve IT service

Configuration identification Baseline, gold standard Configuration control Change management, change control Configuration status accounting Enforcement Configuration audits Testing 13

Configuration Management Database (CMDB) A repository of information related to all the components of an information system Configuration files Group Policy settings Image files for operating systems Details about the important attributes and relationships between them 14

Develop, disseminate, and review/update A documented configuration management policy Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance 15

Develop, document, and maintain under configuration control, a current baseline configuration Images Builds CMDB Configuration files GPO (Group policy objects) 16

A place to start Federal Desktop Core Configuration (FDCC) CIS Benchmarks Modify based upon your needs You may have different configurations for different workstations Compatibility issues Interoperability issues 17

Determine the types of changes to the information system that are configuration controlled Approve configuration-controlled changes Coordinate and provide oversight for configuration change control activities Document approved configuration- controlled changes 18

Analyze changes to the information system to determine potential security impacts prior to change implementation Confidentiality Integrity Availability Interoperability Compatibility 19

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system Limit who can make changes This means no local admins Automate if possible 20

Configure the information system to provide only essential capabilities and specifically prohibit or restrict the use of functions, ports, protocols, and/or services If it is not needed why have it? 21

Develop, document, and maintain an inventory of information system components Accurately reflect the current system At a level of granularity deemed necessary 22

There is no compulsory IT standard required for local governments The National Institute of Standards and Technology (NIST)encourages state, local and tribal governments to consider the use of these guidelines, as appropriate In adopting NIST standards the local government demonstrates due diligence

Institute of Configuration Management NIST (FDCC) Center for Internet Security (CIS) Benchmarks IT Governance Institute (ITGI) 24

Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+ Maze & / San Diego City College Q&A

Evaluation Survey Link Help us improve our seminars by filing out a short online evaluation survey at:

Engaging every online student in lean and green times. June 16, 17, & 18 - San Diego City College Register now at Join us in San Diego at the 2010 Online Teaching Conference

Thanks for attending For upcoming events and links to recently archived seminars, check Web site at: IT Best Practices for Community Colleges Part 3: Configuration Management