Course Objectives.
  1. Provide an overview of an effective configuration management process and the primary concepts that are generally covered in an entity's configuration plan.
  2. Understand why configuration management should be a key part of an entity's System Development Life Cycle (SDLC) methodology.

3. Be familiar with the control activities, control techniques, and audit procedures associated with the configuration management process.

Configuration Management for Auditors is a one-day training session designed to provide an overview of four primary concepts that make up an effective configuration management process: configuration identification, configuration control, configuration status accounting, and configuration auditing. For information assurance, CM can be defined as the management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system. In some instances, an entity may not have an effective entity-wide configuration management process, but may nonetheless have configuration management controls at the systems and business process application level. Therefore, evaluation of configuration controls at all levels is important to determine whether they are effective. The Federal Information Security Management Act (FISMA) of 2002 requires each federal agency to determine minimally acceptable system configuration requirements and ensure compliance with them. Although not a requirement, many state and local agencies are adopting the same standards to ensure compliance within their IT operations. Industry best practices, NIST, and DOD guidance all recognize the importance of configuration management when developing and maintaining a system or network. Our role as auditors is to evaluate the adequacy of established plan and procedures over the modification of information system components and related documentation to ensure that only authorized systems and related program modifications are being implemented.