Configuration Management Configuration management is a process by which the enterprise can keep track of what it has in terms of hardware and software.  If users or technology support staff can arbitrarily introduce components or software, it will become increasingly difficult to maintain a secure environment.  Configuration management helps the enterprise answer such questions as: what computers are connected to what networks?  Or, which versions of what software is running on which components?  There are four fundamental principals of configuration management: Identification -- This is a means of naming and describing the items that are to be managed, at the granularity at which they are managed.  For example, each application software package should be identified in terms of a unique name and version.  If  multiple different configurations of the same package are used, the configurations (e.g., firewall filter settings) should be identified.  The identification is more than just a name.  It includes a description of what the item is. Change Control -- A means of managing the introduction of new configuration items, or the introduction of new versions or altered configuration items. Status Accounting -- Tracking the operational properties of configuration items.  For example, is a configuration item undergoing testing?  Is it being used for production purposes?  Has the network IDS been turned off for the last month (e.g., because it has generated too many alerts)? Audit -- The ability to track the history of configuration items and changes to configuration items.  Using the audit system, it should be possible to confirm that each change made to a configuration items was performed in accordance with the established change control process. Instituting a configuration management system can be expensive in both up-front costs to develop the system (which often requires the attention of the enterprise's most knowledge operations and support people), and it entails ongoing costs.