Configuration Management Policy¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| CDO Office | Internal | April 2027 | Active |
| Field | Details |
|---|---|
| Document Type | Policy |
| Document Reference | SP-CM-007 |
| Version | 1.3 |
| Owner | CISO |
| Classification | Confidential |
| Review Cycle | Annual |
Introduction¶
Configuration management is the process of establishing and maintaining consistent settings across Simpaisa's IT infrastructure to ensure security, stability, and compliance. This policy defines the requirements for building, hardening, and managing configurations for all systems within Simpaisa's environment.
Secure configuration baselines reduce the attack surface of Simpaisa's systems by eliminating unnecessary services, applying security-relevant settings, and ensuring consistency across deployments.
Simpaisa's configuration standards are aligned with recognised industry frameworks, including:
-
CIS (Centre for Internet Security) Benchmarks
-
ISO/IEC 27001 controls
-
SANS secure configuration guidelines
-
NIST Special Publication 800-123 (Guide to General Server Security)
This policy applies to all servers, network devices, cloud components, applications, and endpoints managed by Simpaisa's IT team.
Configuration Standards¶
Build Standards¶
The following table defines the build standards for Simpaisa's on-premises and cloud infrastructure:
| Component | Environment | Standard | Baseline Version | Review Frequency |
|---|---|---|---|---|
| Windows Servers | On-Premises | CIS Windows Server Benchmark | CIS Level 1 | Annual |
| Linux Servers | On-Premises | CIS Linux Benchmark | CIS Level 1 | Annual |
| Network Switches | On-Premises | CIS Cisco Benchmark / Manufacturer Hardening Guide | Latest | Annual |
| Firewalls | On-Premises | CIS Firewall Benchmark / Manufacturer Hardening Guide | Latest | Annual |
| AWS EC2 Instances | Cloud (AWS) | CIS AWS Foundations Benchmark | CIS Level 1 | Annual |
| AWS S3 Buckets | Cloud (AWS) | AWS Security Best Practices | Latest | Annual |
| AWS IAM | Cloud (AWS) | CIS AWS IAM Benchmark | CIS Level 1 | Quarterly |
| AWS RDS | Cloud (AWS) | AWS RDS Security Best Practices | Latest | Annual |
| AWS VPC | Cloud (AWS) | AWS VPC Security Best Practices | Latest | Annual |
| Containers | Cloud (AWS) | CIS Docker / Kubernetes Benchmark | CIS Level 1 | Annual |
| End-user Devices | On-Premises | CIS Windows/macOS Benchmark | CIS Level 1 | Annual |
Security Configuration Standards¶
| Control Area | Requirement | Standard |
|---|---|---|
| Firewall Rules | Default deny all; permit by exception only; rules reviewed quarterly | CIS, NIST |
| Remote Access | VPN required for all remote access; MFA enforced | ISO 27001 |
| Default Accounts | All default accounts disabled or renamed; default passwords changed | CIS, NIST |
| Unnecessary Services | All unnecessary services, ports, and protocols disabled | CIS, SANS |
| Patch Management | Security patches applied within defined SLAs (critical: 72 hours, high: 7 days, medium: 30 days) | NIST |
| Logging | Audit logging enabled on all systems; logs forwarded to centralised SIEM | ISO 27001 |
| Antivirus / EDR | Endpoint protection deployed and maintained on all applicable systems | CIS |
| Encryption | Disk encryption enabled on all laptops and portable devices; TLS enforced for all services | ISO 27001 |
| Password Policy | Minimum 12 characters; complexity required; maximum 90-day rotation for privileged accounts | CIS |
| Network Segmentation | Production, development, and management networks segregated | ISO 27001, NIST |
Application Software Configuration Standards¶
| Application Type | Configuration Requirement | Standard |
|---|---|---|
| Web Applications | HTTPS enforced; HSTS enabled; security headers configured; CSP implemented | OWASP |
| Databases | Access restricted to application service accounts only; remote admin access disabled; encryption at rest enabled | CIS |
| Email Platform | SPF, DKIM, and DMARC configured; anti-phishing controls enabled | Industry best practice |
| Identity Provider | MFA enforced; conditional access policies applied; privileged accounts separated | CIS |
| API Gateway | Authentication required for all endpoints; rate limiting applied; API keys rotated regularly | OWASP API Security |
| Code Repositories | Branch protection rules enforced; secret scanning enabled; access reviewed regularly | Industry best practice |
Configuration Management Process¶
-
All configuration changes shall follow the Change Management Policy (SP-CMP-004)
-
Configuration baselines shall be documented and stored in a version-controlled repository
-
Deviations from approved baselines shall be formally documented, risk-assessed, and approved by the CISO
-
Automated configuration compliance scanning shall be conducted at least monthly
-
Configuration drift shall be detected, investigated, and remediated promptly
-
Configuration baselines shall be reviewed at least annually and updated to reflect changes in the threat landscape and vendor guidance