Donald HesterMarch 30, 2010

For audio call Toll Free 1-888-886-3951

and use PIN/code 133206

IT Best Practices for Community Colleges Part 3: Configuration ManagementIT Best Practices for Community Colleges Part 3: Configuration Management

• Maximize your CCC Confer window.• Phone audio will be in presenter-only mode.• Ask questions and make comments using the chat window.

HousekeepingHousekeeping

Adjusting AudioAdjusting Audio

1) If you’re listening on your computer, adjust your volume using the speaker slider.

2) If you’re listening over the phone, click on phone headset.

Do not listen on both computer and phone.

Saving Files & Open/close CaptionsSaving Files & Open/close Captions

1. Save chat window with floppy disc icon

2. Open/close captioning window with CC icon

Emoticons and PollingEmoticons and Polling

1) Raise hand and Emoticons

2) Polling options

Donald Hester

IT Best Practices for Community Colleges Part 3: Configuration ManagementIT Best Practices for Community Colleges Part 3: Configuration Management

“The management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system.”• National Information Systems Security

Glossary

7

Control Objectives for Information and related Technology (COBIT)

Information Technology Infrastructure Library (ITIL)

International Standards Organization (ISO)

National Institute of Standards and Technology (NIST)

8

80% of IT systems outages are caused by operator and application errors.

1 admin for every 100 servers More planned work than unplanned work More staff early in lifecycle Collaboration Posture of compliance (IT standards) Culture of change management Understand causality Manage by facts

Configuration Management Change Management Release Management Incident Management Problem Management

Benefits of Configuration ManagementBenefits of Configuration Management

Good CM does not increase workload it decreases it

Fewer Incidents Greater Return on Investment (ROI) Faster Recovery (MTTR) Improve IS quality Improve IT service

Configuration identification• Baseline, gold standard

Configuration control• Change management, change control

Configuration status accounting• Enforcement

Configuration audits• Testing

13

Configuration Management Database (CMDB)

A repository of information related to all the components of an information system• Configuration files

• Group Policy settings

• Image files for operating systems

Details about the important attributes and relationships between them

14

Develop, disseminate, and review/update

A documented configuration management policy

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance

15

Develop, document, and maintain under configuration control, a current baseline configuration • Images

• Builds

• CMDB

• Configuration files

• GPO (Group policy objects)

16

A place to start• Federal Desktop Core Configuration (FDCC)

• CIS Benchmarks

Modify based upon your needs• You may have different configurations for

different workstations

• Compatibility issues

• Interoperability issues

17

Determine the types of changes to the information system that are configuration controlled

Approve configuration-controlled changes Coordinate and provide oversight for

configuration change control activities Document approved configuration-

controlled changes

18

Analyze changes to the information system to determine potential security impacts prior to change implementation • Confidentiality

• Integrity

• Availability

• Interoperability

• Compatibility

19

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system • Limit who can make changes

• This means no local admins

• Automate if possible

20

Configure the information system to provide only essential capabilities and specifically prohibit or restrict the use of functions, ports, protocols, and/or services • If it is not needed why have it?

21

Develop, document, and maintain an inventory of information system components • Accurately reflect the current system

• At a level of granularity deemed necessary

22

There is no compulsory IT standard required for local governments

The National Institute of Standards and Technology (NIST)encourages state, local and tribal governments to consider the use of these guidelines, as appropriate

In adopting NIST standards the local government demonstrates due diligence

Institute of Configuration Management • http://www.icmhq.com/

NIST (FDCC)• http://nvd.nist.gov/fdcc/index.cfm

Center for Internet Security (CIS) Benchmarks• http://cisecurity.org/

IT Governance Institute (ITGI)• http://www.itgi.org/

24

Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+

Maze & Associates

@One / San Diego City College

www.LearnSecurity.org

http://www.linkedin.com/in/donaldehester

http://www.facebook.com/group.php?gid=245570977486

Q&AQ&A

Evaluation Survey LinkEvaluation Survey Link

Help us improve our seminars by filing out a short online evaluation survey at:

http://www.surveymonkey.com/s/10SpIT3

“Engaging every online student in lean and green times.”

June 16, 17, & 18 - San Diego City CollegeRegister now at http://otc10.org

Join us in San Diego at the2010 Online Teaching ConferenceJoin us in San Diego at the2010 Online Teaching Conference

Thanks for attendingFor upcoming events and links to recently archived

seminars, check the @ONE Web site at:

http://onefortraining.org/

IT Best Practices for Community Colleges Part 3: Configuration ManagementIT Best Practices for Community Colleges Part 3: Configuration Management