IT Best Practices for Community Colleges Part 3: Configuration Management Donald Hester March 30, 2010 For audio call Toll Free 1 888-886-3951 and use PIN/code 133206

Housekeeping • • • Maximize your CCC Confer window.

Phone audio will be in presenter-only mode.

Ask questions and make comments using the chat window.

Adjusting Audio 1) If you’re listening on your computer, adjust your volume using the speaker slider.

2) If you’re listening over the phone, click on phone headset.

Do not listen on both computer and phone.

Saving Files & Open/close Captions 1.

2.

Save chat window with floppy disc icon Open/close captioning window with CC icon

Emoticons and Polling 1) 2) Raise hand and Emoticons Polling options

IT Best Practices for Community Colleges Part 3: Configuration Management Donald Hester

7 Configuration Management  “The management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system.” • National Information Systems Security Glossary

8 IT Standards  Control Objectives for Information and related Technology (COBIT)  Information Technology Infrastructure Library (ITIL)  International Standards Organization (ISO)  National Institute of Standards and Technology (NIST)

The facts  80% of IT systems outages are caused by operator and application errors.

High-Performance IT organizations Common Characteristics         1 admin for every 100 servers More planned work than unplanned work More staff early in lifecycle Collaboration Posture of compliance (IT standards) Culture of change management Understand causality Manage by facts

The missing pieces      Configuration Management Change Management Release Management Incident Management Problem Management

Benefits of Configuration Management       Good CM does not increase workload it decreases it Fewer Incidents Greater Return on Investment (ROI) Faster Recovery (MTTR) Improve IS quality Improve IT service

13 CM Lifecycle  Configuration identification • Baseline, gold standard  Configuration control • Change management, change control  Configuration status accounting • Enforcement  Configuration audits • Testing

Configuration Identification 14  Configuration Management Database (CMDB)  A repository of information related to all the components of an information system • • • Configuration files Group Policy settings Image files for operating systems  Details about the important attributes and relationships between them

15 Policy   Develop, disseminate, and review/update A documented configuration management policy  Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance

16 Baseline  Develop, document, and maintain under configuration control, a current baseline configuration • • • • • Images Builds CMDB Configuration files GPO (Group policy objects)

17 Baselines  A place to start • Federal Desktop Core Configuration (FDCC) • CIS Benchmarks  Modify based upon your needs • You may have different configurations for different workstations • • Compatibility issues Interoperability issues

Control Change 18  Determine the types of changes to the information system that are configuration controlled  Approve configuration-controlled changes  Coordinate and provide oversight for configuration change control activities  Document approved configuration controlled changes

19 Impact Analysis  Analyze changes to the information system to determine potential security impacts prior to change implementation • • • • • Confidentiality Integrity Availability Interoperability Compatibility

20 Restrict changes to the system  Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system • • • Limit who can make changes This means no local admins Automate if possible

21 Least Functionality  Configure the information system to provide only essential capabilities and specifically prohibit or restrict the use of functions, ports, protocols, and/or services • If it is not needed why have it?

22 Inventory  Develop, document, and maintain an inventory of information system components • • Accurately reflect the current system At a level of granularity deemed necessary

NIST  There is no compulsory IT standard required for local governments  The National Institute of Standards and Technology (NIST)encourages state, local and tribal governments to consider the use of these guidelines, as appropriate  In adopting NIST standards the local government demonstrates due diligence

Resources 24  Institute of Configuration Management • http://www.icmhq.com/  NIST (FDCC) • http://nvd.nist.gov/fdcc/index.cfm

 Center for Internet Security (CIS) Benchmarks • http://cisecurity.org/  IT Governance Institute (ITGI) • http://www.itgi.org/

Q&A Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+ Maze & Associates @One / San Diego City College www.LearnSecurity.org

http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486

Evaluation Survey Link Help us improve our seminars by filing out a short online evaluation survey at: http://www.surveymonkey.com/s/10SpIT3

Join us in San Diego at the 2010 Online Teaching Conference

“Engaging every online student in lean and green times.”

June 16, 17, & 18 - San Diego City College Register now at http://otc10.org

IT Best Practices for Community Colleges Part 3: Configuration Management

Thanks for attending

For upcoming events and links to recently archived seminars, check the @ONE Web site at:

http://onefortraining.org/