C.7 Configuration Management Policy

Version: April 2025
Applies to: All employees, contractors, and stakeholders
Aligned with: ISO/IEC 27001:2022 (A.8.1, A.8.9, A.8.12, A.5.10)

Purpose
To maintain secure, consistent, and documented configurations across all IT assets to reduce risks such as unauthorized access, misconfigurations, or vulnerabilities.

1. Scope
Covers:
- All hardware, OS platforms, network devices, and software
- Configuration baselines, enforcement systems, change tracking, and audits
- All users responsible for configuring or maintaining digital systems

Mandatory across the organization. Exceptions require formal approval.

2. Core Configuration Requirements

ID Requirement
CFG-01 Maintain a library of approved OS configuration baselines
CFG-02 Disable all unnecessary OS services
CFG-03 Define configs for essential services (e.g., databases, SMB, VoIP)
CFG-04 Remove or restrict unnecessary scripting languages
CFG-05 Enable advanced shell logging (e.g., PowerShell, BASH)
CFG-06 Enforce security features: DEP, ASLR, UAC
CFG-07 Disable autorun functions on all systems
CFG-08 Activate screensaver locks after inactivity
CFG-09 Enforce secure boot processes (e.g., UEFI integrity check)
CFG-10 Disable unused wireless protocols
CFG-11 Maintain secure config baselines for software applications
CFG-12 Use config enforcement tools across all devices
CFG-13 Ensure enforcement applies to onsite and remote systems

3. Enforcement & Sanctions
Non-compliance may result in:
- Training or written warnings
- Loss of access
- Contract termination or legal action

All enforcement follows HR and cybersecurity governance protocols.

Direct URL:
Navigation
Back to Appendix C: Guidelines Policy Overview