| Document Type | Policy - Mandatory |
|---|---|
| Document ID | |
| Audience | All employees |
| Confidentiality | For internal use |
| Language | English |
| Applies to | |
| Version | |
| Owner | |
| Author | |
| 1st Reviewer / Review Date | |
| 2nd Reviewer / Review Date | |
| Approver (CEO) / Approval Date | |
| Release Date | |
| Next Review |
This document describes how services provided by third parties will be monitored and reviewed.
The following areas of the ISO/IEC 27001 standard are addressed by this document:
- A.5 Organizational controls
- A.5.1 Policies for Information security
- A.8 Technological controls
- A.8.9 Configuration management
Company Name uses a wide variety of components in creating and running its information systems infrastructure. These consist of hardware, software, cloud services and networks and all are potentially vulnerable to attack from threats from different sources. In order to lessen the risk of these components becoming compromised, it is important that we identify the most appropriate ways of configuring them and then ensure that these methods are used throughout our platform landscape.
This policy describes the main principles on which such standard configurations must be based and sets out the rules for their use.
This control applies to all systems, people and processes that constitute the information systems, including board members, directors, employees, suppliers and other third parties who have access to the information systems.
The following policies and procedures are relevant to this document:
- Information Security Policy
- Mobile Device Policy
- Network Security Policy
- Cloud Services Policy
- Configuration Management Process
- Change Management Process
New components that make up the information systems hardware, software, services and networks must have their required security settings defined and correctly configured prior to their implementation within our platform environment.
Configurations of existing components must be reviewed periodically to ensure they meet the requirements of this policy.
Such components will include, but are not limited to:
- Endpoint devices, such as desktops, laptops, mobile phones and tablets
- Physical network devices, such as routers, switches and firewalls
- Physical servers, including system software such as operating systems, databases and web servers
- Cloud infrastructure, such as virtual servers, networks and storage
Where possible, standard templates will be used to document the required configuration of platform components. These templates will be subject to change and version control.
The configurations defined will take appropriate account of available sources of information about securing the relevant components, such as vendor templates, guidance from cyber security authorities and best practice organizations, system hardening guides and our own information security policies.
Details of configuration standards will be protected as sensitive information which would be of use to an attacker.
Configuration standards must be reviewed on a regular basis and kept up to date with changes in the components themselves (such as new hardware or software versions) and the threats and vulnerabilities they face.
The correct configuration of components will be monitored and instances where existing settings deviate from the established standard will be investigated and, if necessary, corrected.
Where feasible, automated software methods such as Infrastructure as Code (laC) will be used to create com ponents with the correct configuration. Automated audit tools may also be used to check configurations regularly and report on and correct those found to be noncompliant.
Table of Contents
| Target Audience | This Policy is intended to be understood and applied by all employees. |
|---|---|
| Implementation Timing / Impact | Describe when the policy enters into force. |
| Assumptions / Prerequisites | Describe if any. |
| Exception Management | Describe if needed. |
| Version | Date | Description | Revised by |
|---|---|---|---|