Secure Configuration Management for CIS Control 4, 9, and 12
As delivered from developers, manufacturers, and resellers, the default configurations for enterprise assets and software are normally geared towards ease-of-deployment and ease-of-use rather than security. Permissive settings, open services and ports, default accounts or passwords, older (vulnerable) protocols, and pre-installation of unnecessary software can all be exploitable if left in their default state. Further, these security configuration updates need to be managed and maintained over the lifetime of all enterprise assets and software. Configuration updates need to be tracked and approved through a configuration management workflow process to maintain a record that can be reviewed for compliance, leveraged for incident response, and to support audits. Secure configurations are important to on-premises devices, as well as remote devices, network devices, and cloud environments.
This policy template is meant to supplement the CIS Controls v8. The policy statements included within this document can be used by all CIS Implementation Groups (IGs), but are specifically geared towards Safeguards in Implementation Group 1 (IG1).