System Configuration Management Policy and Procedures
Internal Use
System Configuration Management Policy and Procedures
Dispel
Document Control
| Item | Details |
|---|---|
| Version | 1.0 |
| Cadence | Annual |
| Policy Owner | Chief Technology Officer |
| Approved By | Chief Executive Officer |
| DCF References | DCF-1, DCF-4, DCF-5, DCF-6, DCF-7, DCF-10, DCF-11, DCF-12, DCF-13, DCF-15, DCF-16, DCF-17, DCF-20, DCF-21, DCF-22, DCF-25, DCF-28, DCF-29, DCF-30, DCF-32, DCF-33, DCF-35, DCF-36, DCF-38, DCF-39, DCF-40, DCF-41, DCF-42, DCF-43, DCF-44, DCF-45, DCF-47, DCF-48, DCF-49, DCF-51, DCF-52, DCF-53, DCF-54, DCF-58, DCF-60, DCF-72, DCF-73, DCF-74, DCF-75, DCF-76, DCF-77, DCF-78, DCF-79, DCF-80, DCF-81, DCF-82, DCF-96, DCF-99, DCF-100, DCF-101, DCF-134 |
1. PURPOSE AND SCOPE
1.1 Purpose
The purpose of this policy and procedures document is to define how Dispel establishes, manages, and monitors baseline configurations for systems and services, and how configuration changes are controlled to protect the confidentiality, integrity, and availability of Dispel systems, including the Dispel Zero Trust Engine.
1.2 Scope
This policy applies to:
- All Dispel-managed systems and components in production and other in-scope environments.
- Operating systems, applications, network devices, middleware, and supporting services whose configuration may impact security or compliance.
- All Covered Persons involved in designing, operating, or changing system configurations.
1.3 Regulatory and Framework Alignment
| # | Framework / Standard | Relevant Control IDs | Alignment Notes |
|---|---|---|---|
| 1 | SOC 2 | CC2.1, CC2.3, CC8.1 | System operations and change/configuration management over production environments. |
| 2 | ISO/IEC 27001 | A.8.9, A.8.32, A.8.33 | Configuration management and change management for information systems and test data. |
| 3 | NIST SP 800-53 | CM-1, CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-8, CM-9, CM-10, CM-11, CM-12, CM-14 | Configuration management policy, baselines, change control, access restrictions, settings, inventories, and signed components. |
| 4 | IEC 62443 | 62443-3-3.SR7.6 | Configuration and change management for industrial control systems. |
| 5 | HIPAA | 164.308(a)(1) | Risk management for systems handling ePHI, including configuration controls. |
2. POLICY STATEMENTS
2.1 Management Commitment
Management Commitment Statement
Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:
- Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
- Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
- Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
- Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.
2.2 Primary Policy Statement
Dispel SHALL establish and maintain baseline configurations for in-scope systems and SHALL control configuration changes through documented, approved processes.
2.3 Secondary Policy Statement
- Unauthorized changes SHALL be detected, investigated, and remediated.
- Configuration information SHALL be accurate, current, and protected from unauthorized access or modification.
3. REQUIREMENTS
3.1 Baseline Configuration and Inventory
Objective: Define and maintain baseline configurations and inventories.
Mandatory Activities:
- Dispel SHALL define baseline configurations for in-scope systems, including authorized hardware, software, and configuration settings.
- A system component inventory SHALL be maintained, capturing hardware, software, and relevant ownership and accountability information.
- Automated tools SHOULD be used where feasible to maintain configuration and inventory accuracy and currency.
Required Outputs:
- Baseline configuration documentation.
- System and component inventory.
Security Controls: NIST SP 800-53 CM-2, CM-8.
3.2 Configuration Change Control
Objective: Ensure configuration changes are authorized, tested, and documented.
Mandatory Activities:
- Configuration changes SHALL be subject to change management processes, including risk analysis, approvals, testing, and rollback planning.
- Changes to baselines SHALL be documented and baselines updated accordingly.
- Access to perform configuration changes SHALL be restricted to authorized personnel.
Required Outputs:
- Change records linked to configuration updates.
- Updated baseline configuration documentation.
Security Controls: NIST SP 800-53 CM-3, CM-4, CM-5.
3.3 Configuration Settings and Least Functionality
Objective: Enforce secure configuration settings and minimize unnecessary functionality.
Mandatory Activities:
- Dispel SHALL define and implement secure configuration settings for systems and applications, consistent with industry guidance where applicable.
- Systems SHALL be configured to provide only the minimum functionality required (least functionality) and to remove or disable unnecessary services and software.
- Configuration settings SHALL be periodically reviewed and updated as needed.
Required Outputs:
- Configuration standards or hardening guides.
- Records of configuration reviews.
Security Controls: NIST SP 800-53 CM-6, CM-7.
3.4 Configuration Management Plan and Tools
Objective: Coordinate configuration management activities through a formal plan and tools.
Mandatory Activities:
- A configuration management plan SHALL describe roles, responsibilities, processes, and tools used to manage configurations.
- Automated tools SHOULD be used to:
- Enforce approved configurations.
- Detect unauthorized changes or components.
- Support reporting and auditing.
- Records of configuration changes and inventories SHALL be retained for auditing and troubleshooting.
Required Outputs:
- Configuration Management Plan.
- Tool configurations and logs.
Security Controls: NIST SP 800-53 CM-9, CM-10, CM-11, CM-12, CM-14.
4. ROLES AND RESPONSIBILITIES
4.1 Policy Owner
Responsibilities:
- Owns this System Configuration Management Policy and Procedures.
- Ensures alignment with change management and SDLC policies.
- Coordinates periodic reviews and updates.
4.2 System Owners
Responsibilities:
- Ensure baselines and inventories are defined and maintained for their systems.
- Approve configuration changes within their areas of responsibility.
- Maintain system documentation reflecting current configurations.
4.3 Administrators / DevOps
Responsibilities:
- Implement and maintain configurations consistent with baselines.
- Operate configuration management and inventory tools.
- Investigate and remediate unauthorized configuration changes.
5. PROCEDURES
5.1 Configuration Management Lifecycle (High-Level)
| Step | Action | Responsible Party | Timeframe |
|---|---|---|---|
| 1 | Define baseline configurations and inventories for in-scope systems. | Policy Owner, System Owners | Initial setup and major changes |
| 2 | Implement configurations using automated tools where feasible. | Administrators / DevOps | Ongoing |
| 3 | Process and document configuration changes through change management. | System Owners, Administrators | As needed |
| 4 | Monitor for unauthorized changes and remediate. | Administrators / Security | Ongoing |
| 5 | Periodically review baselines, settings, and inventories. | Policy Owner, System Owners | At least annually |
6. MONITORING AND COMPLIANCE
6.1 Compliance Monitoring
Compliance with this policy SHALL be monitored through:
- Reviews of baselines, inventories, and configuration change records.
- Automated checks for unauthorized configuration changes or components.
- Internal or external audits of configuration management controls.
6.2 Metrics and Reporting
The following metrics SHALL be tracked and reported at least annually to the Policy Owner and senior management:
| Metric | Frequency | Owner |
|---|---|---|
| Number of unauthorized configuration changes detected and resolved | Quarterly | Security / DevOps |
| Percentage of systems with current baseline configuration documentation | Annual | Policy Owner |
| Percentage of in-scope systems covered by automated configuration tools | Annual | DevOps |
6.3 Non-Compliance Consequences
Failure to comply with this policy and procedures may result in:
- Increased risk of misconfigurations and security incidents.
- Revocation or restriction of access for Covered Persons who repeatedly fail to follow configuration procedures.
- Disciplinary action for employees and contractors, consistent with Dispel HR policies and applicable law.
7. EXCEPTIONS AND WAIVERS
7.1 Exception Process
Exceptions to this policy SHALL:
- Be submitted in writing by the requesting party.
- Identify the specific policy or procedural requirements for which an exception is sought.
- Include justification and business impact.
- Describe compensating controls or mitigation measures.
- Define exception duration and remediation plan.
7.2 Exception Approval Authority
| Risk Level | Approval Authority |
|---|---|
| Low | Policy Owner |
| Medium | Policy Owner and Security Officer |
| High | Policy Owner, Security Officer, and Senior Management representative |
| Critical | Senior Management representative in consultation with Policy Owner and Security Officer |
8. DEFINITIONS
Baseline Configuration: A documented set of specifications for a system or component that has been formally reviewed and agreed upon, and which can be changed only through change management.
Configuration Item: A system component (hardware, software, documentation, or other) that is managed under configuration control.
9. REFERENCES
9.1 Internal References
- Change Management Policy.
- System Planning Policy and Procedures.
- Software Development Lifecycle documents.
9.2 External References
- NIST SP 800-53, CM family.
- ISO/IEC 27001 and related configuration management guidance.
10. DOCUMENT HISTORY
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.1 | Predates version control | Ethan Schmertzler | Aligned System Configuration Management Policy and Procedures to POLICY_TEMPLATE and updated control mappings. |
| 1.0 | Predates version control | Ethan Schmertzler | Initial System Configuration Management Policy and Procedures. |
11. APPROVAL SIGNATURES
| Role | Name | Signature | Date |
|---|---|---|---|
| Policy Owner | |||
| Security Officer | |||
| Senior Management Representative |
APPENDICES
Appendix A: Supporting Configuration Management Procedures
This appendix may include:
- Detailed procedures for baseline creation and updates.
- Configuration standards and hardening guides.
- Sample configuration review checklists.
Appendix B: Additional Guidance and Examples
This appendix may include:
- Example configuration deviation scenarios and responses.
- References to industry best practices for configuration management.