Configuration Management

  • Validate that the operating systems and applications are designed, configured, patched and hardened in accordance with CSC policies, procedures, and standards. All OS and application management practices can be common between on-premises and cloud systems and services.

  • Consider the inventory of relevant configurations. How has management determined configuration changes relevant to their environment?

  • What changes are the responsibilities of the CSC versus the CSP? For example, a CSC may be responsible for change request, UAT, change deployment whereas the CSP could be responsible for development and integrationtesting.

  • For changes that the CSC is responsible for, is there sufficient change management controls in place to ensure that management expectations are met and risks are addressed?

  • Review documented process for configuration of cloud compute instances: Machine Images, Operating systems, Applications

    • Are CSP-pushed configuration updates being reviewed?

  • Understand the release schedules. Do the changes match the release schedules?

  • Review API calls for in scope services for delete calls to ensure IT assets have been properly disposed.

PreviousUser Device ManagementNextVulnerability Management

Last updated