Defence in Depth for Securing Computer Systems/Configuration Control and Documentation

Defence in Depth for Security Computer Systems/Preparation/Baselining

Configuration Control and Documentation

edit

Now every good system administrator will have some knowledge of the systems they are responsible for in their head, or on spreadsheets, word files, homegrown database system etc. However, can you truthfully answer the following questions?

1. Is it 100% up to date?

2. Is it 100% correct?

3. Do your colleagues/boss know where it is and how to read it?

4. Is this the only copy that exists or do other system administrators keep similar systems?

These questions highlight the need for configuration control and a central and unique repository of documentation.

The best way to commence the creation of the central repository of information is to first determine what currently exists. If a system administrator is responsible for looking after a large

number of servers and switches, generally they will keep the information they need to do their job handy. Depending upon their skill with the tools available to them, this could be anything from a sophisticated spreadsheet with macros and formulas to a simple text file with a list of IP addresses. Don't discount what you currently have, but try to look at all of the various system and attempt to develop a best of breed approach. Take the various systems that already exist, adopt it organisation wide and make it mandatory for all system administrators to use that system. Once you have a standard system that is used by all system administrators, then you need to ensure that it is maintained and kept up-to-date. This is task now becomes mostly a policy and procedure function. There are two areas you need to address: 1. Changes to existing configuration 2. Additions to the network An approach that can be used here is to adopt a Configuration Control Board to handle and approve any changes and additions. This provides a solid and robust framework to ensure that all changes are documented and (possibly more importantly) that all changes are approved and reviewed before they are made.