This article provides additional information on how you can meet the requirement for the CAF control – B4.b Secure Configuration.
Secure Configuration of Systems
- Systems supporting essential services should be securely configured and kept in a known-good state.
- All assets should be recorded in a System Inventory, and each platform should follow an approved baseline configuration.
Approved Software and Change Control
-
Only software listed on the organisation’s Approved Software Register should be installed.
-
Configuration changes should be:
-
authorised
-
documented
-
impact-assessed
-
tested before implementation
-
-
All updates and adjustments should follow a controlled change process.
Configuration Reviews and Hardening
-
System configurations should be reviewed routinely to confirm that:
-
hardening settings remain in place
-
unnecessary services are disabled
-
default or shared accounts are removed or secured
-
-
Service accounts should be appropriately protected.
Automated Technologies
- Where automated decision-making technologies are used, their configuration and behaviour should be clearly understood and reproducible.
Maintaining Configuration Consistency
- A structured approach to configuration management helps minimise configuration drift and maintain secure, consistent system builds across the environment.