From Web Policy STIG
Part of Access to Configuration Management policies.
Associated with IA controls: DCPR-1, ECPC-1
A Configuration Management Policy and its associated procedures help to ensure the effective implementation of security controls requisite to the organizational goals of integrity, availability, and confidentiality by governing the change process, which is necessary to ensure that unapproved and malformed software, or unapproved configuration changes, are not introduced into the production environment. It should include, but may not be limited to, auditing change, the use of automated change controls, limiting change to authorized personnel with regard to direct changes to production software, and lists of approved or disapproved software.
If an MOU or an SLA exists between a hosting agency and the information owner, those documents will address the requirement presented in this check. If the hosting agency is responsible for CM, it will provide the proof. If the information owner is responsible for CM, it will provide assurance and supporting information to the hosting agency. The reviewer will have access to this documentation and any supporting materials. The SA and or the web administrator should be in possession of or have access to the most recent Configuration Management Policy as developed by the organization. They should also be able to demonstrate policy compliance. Review the risk assessment, security plan, and any supplements necessary to verify that these procedures are documented. Required elements of CM: 1. An indication of who approves the changes to both administrative configuration changes and the software installed on the production web server. 2. A process that documents and audits web server configuration and web server software changes, approvals, and disapprovals. 3. A process or policy that addresses procedures with regard to what may or may not be configured, changed, or implemented. If a Change Management Policy does not exist, or compliance cannot be demonstrated, this is a finding.
Documented CM policies and procedures will be made available to the IAO, the SA, or the web administrator.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer