Control 8.9 : Configuration Management

Summary

Configurations, including security configurations, of hardware, software, services, and networks should be established, documented, implemented, monitored, and reviewed. This ensures systems are hardened against attack and remain in a known-good state.

Applicability

In-Scope: Mandatory for maintaining a consistent security posture. It prevents configuration drift where security settings are accidentally or intentionally weakened over time.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Hardening Baselines: Implement the Microsoft Security Baselines in Intune to enforce industry-standard security settings for Windows and Microsoft 365 Apps.

• Configuration Profiles: Use Intune Configuration Profiles to lock down device settings, such as disabling unnecessary services and enforcing local firewall rules.

• Monitoring: Utilize the Microsoft Secure Score to continuously monitor the tenant configuration against recommended security practices and identify gaps.

Evidence Checklist

• Configuration Standards: Documented hardening guides or baseline configurations for each type of system (Servers, Workstations, Cloud Apps).

• Compliance Logs: Reports showing that managed devices are compliant with the established security baselines.

• Change Logs: Audit trails from the Microsoft 365 portal showing any modifications made to the tenant-wide security settings.

Practical Audit Advice

Here are some questions the auditor might ask:

• How do you ensure that a new system is properly hardened before it is allowed to access the production network?

• What process is in place to detect and remediate a system that has deviated from the established security baseline?

• Are default passwords and unnecessary pre-installed software removed as part of your standard configuration process?

• Can you demonstrate how you use automated policies to maintain consistent configurations across your cloud environment?