1. IT Best Practices for Community Colleges Part 3: Configuration Management
Donald Hester
March 30, 2010
For audio call Toll Free
and use PIN/code

2. Housekeeping Maximize your CCC Confer window.
Phone audio will be in presenter-only mode.
Ask questions and make comments using the chat window.

3. Do not listen on both computer and phone.
Adjusting Audio
If you’re listening on your computer, adjust your volume using the speaker slider.
If you’re listening over the phone, click on phone headset.
Do not listen on both computer and phone.

4. Saving Files & Open/close Captions
Save chat window with floppy disc icon
Open/close captioning window with CC icon

5. Emoticons and Polling
Raise hand and Emoticons
Polling options

6. IT Best Practices for Community Colleges Part 3: Configuration Management
Donald Hester

7. Configuration Management
“The management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system.”
National Information Systems Security Glossary

8. IT Standards
Control Objectives for Information and related Technology (COBIT)
Information Technology Infrastructure Library (ITIL)
International Standards Organization (ISO)
National Institute of Standards and Technology (NIST)

9. The facts
80% of IT systems outages are caused by operator and application errors.

10. High-Performance IT organizations Common Characteristics
1 admin for every 100 servers
More planned work than unplanned work
More staff early in lifecycle
Collaboration
Posture of compliance (IT standards)
Culture of change management
Understand causality
Manage by facts

11. The missing pieces Configuration Management Change Management
Release Management
Incident Management
Problem Management

12. Benefits of Configuration Management
Good CM does not increase workload it decreases it
Fewer Incidents
Greater Return on Investment (ROI)
Faster Recovery (MTTR)
Improve IS quality
Improve IT service

13. CM Lifecycle Configuration identification Configuration control
Baseline, gold standard
Configuration control
Change management, change control
Configuration status accounting
Enforcement
Configuration audits
Testing

14. Configuration Identification
Configuration Management Database (CMDB)
A repository of information related to all the components of an information system
Configuration files
Group Policy settings
Image files for operating systems
Details about the important attributes and relationships between them

15. Policy Develop, disseminate, and review/update
A documented configuration management policy
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance

16. Baseline
Develop, document, and maintain under configuration control, a current baseline configuration
Images
Builds
CMDB
Configuration files
GPO (Group policy objects)

17. Baselines A place to start Modify based upon your needs
Federal Desktop Core Configuration (FDCC)
CIS Benchmarks
Modify based upon your needs
You may have different configurations for different workstations
Compatibility issues
Interoperability issues

18. Control Change
Determine the types of changes to the information system that are configuration controlled
Approve configuration-controlled changes
Coordinate and provide oversight for configuration change control activities
Document approved configuration-controlled changes

19. Impact Analysis
Analyze changes to the information system to determine potential security impacts prior to change implementation
Confidentiality
Integrity
Availability
Interoperability
Compatibility

20. Restrict changes to the system
Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system
Limit who can make changes
This means no local admins
Automate if possible

21. Least Functionality
Configure the information system to provide only essential capabilities and specifically prohibit or restrict the use of functions, ports, protocols, and/or services
If it is not needed why have it?

22. Inventory
Develop, document, and maintain an inventory of information system components
Accurately reflect the current system
At a level of granularity deemed necessary

23. NIST There is no compulsory IT standard required for local governments
The National Institute of Standards and Technology (NIST)encourages state, local and tribal governments to consider the use of these guidelines, as appropriate
In adopting NIST standards the local government demonstrates due diligence

24. Resources Institute of Configuration Management NIST (FDCC)
NIST (FDCC)
Center for Internet Security (CIS) Benchmarks
IT Governance Institute (ITGI)

25. Q&A
Donald E. Hester
CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+
Maze & Associates
@One / San Diego City College 25

26. Evaluation Survey Link
Help us improve our seminars by filing out a short online evaluation survey at:

27. Join us in San Diego at the 2010 Online Teaching Conference
“Engaging every online student in lean and green times.”
June 16, 17, & 18 - San Diego City College
Register now at

28. IT Best Practices for Community Colleges Part 3: Configuration Management
Thanks for attending
For upcoming events and links to recently archived seminars, check Web site at: