1. Donald Hester March 30, 2010 For audio call Toll Free 1 - 888-886-3951 and use PIN/code 133206 IT Best Practices for Community Colleges Part 3: Configuration Management

2. Maximize your CCC Confer window. Phone audio will be in presenter-only mode. Ask questions and make comments using the chat window. Housekeeping

3. Adjusting Audio 1)If youre listening on your computer, adjust your volume using the speaker slider. 2)If youre listening over the phone, click on phone headset. Do not listen on both computer and phone.

4. Saving Files & Open/close Captions 1.Save chat window with floppy disc icon 2.Open/close captioning window with CC icon

5. Emoticons and Polling 1)Raise hand and Emoticons 2)Polling options

6. Donald Hester IT Best Practices for Community Colleges Part 3: Configuration Management

7. The management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system. National Information Systems Security Glossary 7

8. Control Objectives for Information and related Technology (COBIT) Information Technology Infrastructure Library (ITIL) International Standards Organization (ISO) National Institute of Standards and Technology (NIST) 8

9. 80% of IT systems outages are caused by operator and application errors.

10. 1 admin for every 100 servers More planned work than unplanned work More staff early in lifecycle Collaboration Posture of compliance (IT standards) Culture of change management Understand causality Manage by facts

11. Configuration Management Change Management Release Management Incident Management Problem Management

12. Benefits of Configuration Management Good CM does not increase workload it decreases it Fewer Incidents Greater Return on Investment (ROI) Faster Recovery (MTTR) Improve IS quality Improve IT service

13. Configuration identification Baseline, gold standard Configuration control Change management, change control Configuration status accounting Enforcement Configuration audits Testing 13

14. Configuration Management Database (CMDB) A repository of information related to all the components of an information system Configuration files Group Policy settings Image files for operating systems Details about the important attributes and relationships between them 14

15. Develop, disseminate, and review/update A documented configuration management policy Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance 15

16. Develop, document, and maintain under configuration control, a current baseline configuration Images Builds CMDB Configuration files GPO (Group policy objects) 16

17. A place to start Federal Desktop Core Configuration (FDCC) CIS Benchmarks Modify based upon your needs You may have different configurations for different workstations Compatibility issues Interoperability issues 17

18. Determine the types of changes to the information system that are configuration controlled Approve configuration-controlled changes Coordinate and provide oversight for configuration change control activities Document approved configuration- controlled changes 18

19. Analyze changes to the information system to determine potential security impacts prior to change implementation Confidentiality Integrity Availability Interoperability Compatibility 19

20. Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system Limit who can make changes This means no local admins Automate if possible 20

21. Configure the information system to provide only essential capabilities and specifically prohibit or restrict the use of functions, ports, protocols, and/or services If it is not needed why have it? 21

22. Develop, document, and maintain an inventory of information system components Accurately reflect the current system At a level of granularity deemed necessary 22

23. There is no compulsory IT standard required for local governments The National Institute of Standards and Technology (NIST)encourages state, local and tribal governments to consider the use of these guidelines, as appropriate In adopting NIST standards the local government demonstrates due diligence

24. Institute of Configuration Management http://www.icmhq.com/ NIST (FDCC) http://nvd.nist.gov/fdcc/index.cfm Center for Internet Security (CIS) Benchmarks http://cisecurity.org/ IT Governance Institute (ITGI) http://www.itgi.org/ 24

25. Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+ Maze & Associates @One / San Diego City College www.LearnSecurity.org http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 Q&A

26. Evaluation Survey Link Help us improve our seminars by filing out a short online evaluation survey at: http://www.surveymonkey.com/s/10SpIT3

27. Engaging every online student in lean and green times. June 16, 17, & 18 - San Diego City College Register now at http://otc10.org Join us in San Diego at the 2010 Online Teaching Conference

28. Thanks for attending For upcoming events and links to recently archived seminars, check the @ONE Web site at: http://onefortraining.org/ IT Best Practices for Community Colleges Part 3: Configuration Management