Establish and Maintain a Secure Configuration Process
Description
Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Implementation Checklist
Tool Recommendations
Automated CIS Benchmark assessment tool for configuration compliance scanning across OS, applications, and cloud
Center for Internet Security · CIS SecureSuite membership
Cloud-based configuration assessment and compliance platform with CIS Benchmark support and continuous monitoring
Qualys · Per-asset subscription
Security configuration management and file integrity monitoring platform with policy compliance and drift detection
Fortra (Tripwire) · Per-node subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Exploitation of Default or Weak System Configurations
IntegrityAttackers exploit out-of-box default configurations including open ports, unnecessary services, and weak security settings that were never hardened according to a secure baseline.
Configuration Drift Enabling Attack Vectors
ConfidentialityOver time, systems drift from secure configurations through ad-hoc changes, reintroducing vulnerabilities that were previously mitigated and creating inconsistent security postures.
Ransomware Exploiting Unhardened Systems
AvailabilityRansomware propagates rapidly through systems lacking hardened configurations, exploiting enabled-by-default protocols like SMBv1 and unnecessary remote access services.
Vulnerabilities (When Safeguard Absent)
No Defined Secure Configuration Baseline
Without a documented secure configuration process, systems are deployed with vendor defaults that prioritize ease of use over security, leaving known attack surfaces exposed.
No Configuration Review or Update Cadence
Without annual review of secure configuration standards, baselines become outdated as new attack techniques emerge and vendor recommendations change.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Configuration compliance scan results against approved baseline | Scanned monthly |
| Document | Approved baseline configuration documentation | Reviewed quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |