Security configuration management (SCM) can help organizations do much more than just harden their attack surfaces against intrusions. This fundamental control also has the ability to make your audits flow more smoothly. Indeed, it allows organizations to pull reports from any point in time and demonstrate how their configuration changes and alignments help to support their compliance efforts.

SCM doesn’t help organizations with just one type of audit, either. As an example, it can support them in an in-house audit where staff members evaluate the organization’s configuration against a set of internal controls and best practice frameworks. It can also give them all they need to meet an externally conducted audit involving regulatory compliance standards.

To understand how, it’s important that organizations understand the difference between a best practice framework of security controls and a set of regulatory compliance standards.

Best Practice Frameworks

Organizations can use best practice frameworks to create, enhance and maintain an effective digital security program. These frameworks all recommend that organizations implement SCM. But they do not enforce this implementation via a formal audit, per se.

There are three best practice frameworks in particular that stand out for wide recognition within the security industry: the Center for Internet Security’s Top 20 Critical security Controls (“the CIS Controls”), the National Institute of Standards and Technology’s various publications (“NIST”) and the MITRE ATT&CK Cybersecurity Framework (“MITRE ATT&CK”).

The CIS Controls

Considered the gold standard for organizations that are looking to secure their systems, the CIS Controls consists of a prioritized list of 20 security fundamentals. SCM appears in the top 5 CIS Controls, known as the “Basic CIS Controls,” as Control 5: “Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers.” It comes after Control 1: “Inventory and Control of Hardware (Read more...)