Configuration management is the managed maintenance of known configurations of EVERYTHING: code, systems, appliances, work flows, facilities, HVAC, etc. Keeping track of, confirming, testing, backing up, verifying, restoring, and documenting configurations across the organization is essential to maintaining stability, consistency, reliability, and security.
Architecture & Design
Security is most effective if it is integral to the initial concept, architecture, and design of a new system, product, or solution. By designing new hardware and software solutions with core security concepts, the security benefits derived from those solutions will be more stable, reliable, and integrated to the overall function, purpose, and capabilities of that solution. Secure architecture and design should include sufficient focus on authentication, authorization, and accounting. This will ensure that only valid subjects gain access, the actions taken by subjects are controlled, and all events occurring are recorded for analysis. Often, the design and architecture of an organization’s IT infrastructure starts at the network structure and is focused around the primary network protocol. Today, the preferred and securable network protocol is IPv6. A clear understanding of IPv6 and how to design a secure network infrastructure around it is important to the overall success of an organization’s security endeavors.
Business alignment is the idea of streamlining or focusing business tasks in order to take full advantage of the technologies available. Often, business aligns in relation to an IT/IS infrastructure. Ultimately, the goal of business alignment is to be more efficient and cost effective at achieving operational goals and objectives. Business alignment seeks to avoid the common problem of IT being an expensive toy that does not directly contribute to the profit, goals, or solutions of the organization. If a better alignment between deployed IT infrastructure and end-user tasks and business processes has been established, more return on investment is achieved. Instead of installing computer networks for the sake of having a computer network, technology is adopted and adapted only as it directly supports and improves business operations.
The only constant is change, Heraclitus said. However, uncontrolled and unregulated change will result in reduced or compromised security. Change management is the oversight and control of change. It is mostly focused on changes to software but should also include changes to hardware, configurations/settings, physical location, and personnel. Change management seeks to prevent unverified changes from negatively affecting business capabilities, causing unplanned downtime, or enabling security breaches. A formal process for change management often includes a means to discover or request a change, a process of evaluating the change (typically in a lab or simulated environment), and a process for having the results/findings of evaluation be reviewed by an internal change approval board (CAB). Only approved changes can be rolled out into the production environment. If possible, a rollback option is established (such as image backups) so a change can be repealed in the event of unexpected consequences.
Operations planning focuses on essential task planning for short-term processes and procedures with the goal of accomplishing project milestones. Many organizations have strategic or long-term plans in relation to growth, markets, profits, and security. Operations planning takes strategic plans and divides them up into smaller, short-term, stepping-stone-like tasks. Operations planning addresses specific questions related to business planning:
- Where are we now?
- Where do we want to go?
- How can we get there?
- What can be used to measure our progress and success?
As it fits under configuration management, security testing is the managed application of tests that confirm or deny security throughout the organization. The focus is for developers, administrators, and managers to learn how often to schedule testing, to what extent to test, and with which metrics and actions to assess the success of a test in order to assure full life cycle improvement of the entire organization.