The configuration management policy establishes rules to ensure that changes to the information system are minimally disruptive to the functioning of the information system and the users that it supports. The configuration management policy also establishes rules that require IT professionals to document and track changes to an information system.

What the configuration management policy should address:

• Establishing and maintaining baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles
• Establishing and enforcing security configuration settings for information technology products employed in organizational information systems
• Tracking, reviewing, approving/disapproving, and auditing changes to information systems
• Analyzing the security impact of changes prior to implementation
• Defining, documenting, approving, and enforcing physical and logical access restrictions associated with changes to the information system
• Employing the principle of least functionality by configuring the information system to provide only essential capabilities
• Restricting, disabling, and preventing the use of non-essential programs, functions, ports, protocols, and services
• Applying deny-by-exception (blacklisting) policies to prevent the use of unauthorized software or deny all, permit-by-exception (whitelisting) policies, to allow the execution of authorized software
• Controlling and monitoring user-installed software