ABSTRACT
Configuration management (CM) supports consistency, completeness, and rigor in implementing
security. It also provides a mechanism for determining the current security posture of the organization
with regard to technologies being utilized, processes and practices being performed, and a means for
evaluating the impact of change on the security stance of the organization. If a new technology is being
considered for implementation, an analysis can determine the effects from multiple standpoints:
† Costs to purchase, install, maintain, and monitor
† Positive or negative interactions with existing technologies or architectures
† Performance
† Level of protection
† Ease of use
† Management practices that must be modified to implement the technology
† Human resources who must be trained on the correct use of the new technology, as a user or as
a provider
CM functions serve as a vital base for controlling the present-and for charting the future for an
organization in meeting its goals. But looking at CM from a procedural level exclusively might result in
the omission of significant processes that could enhance the information security stance of an
organization and support mission success.