Asset configurations are monitored for consistency with baselines throughout the assets’ lifecycles

Organizations should monitor asset configurations to ensure that they continue to conform to baselines over time after their deployment. Monitoring for consistency can be done through automated means, such as using a scanning tool that compares the baselines of connected assets to established configuration baselines, or by conducting periodic audits of assets to determine whether unauthorized changes have been made. Tools can also be used to automatically revert assets to baselines. Automated configuration management or monitoring tools may enable more efficient tracking of asset configurations. Tools that are able to span physical, virtual, mobile, hybrid, and other technology environments should be considered to help ensure adequate coverage of IT and OT assets. These tools may be optimized for specific products. When selecting automation tools, stakeholders with adequate training and experience should be engaged early and careful consideration should be given to ensuring the appropriate fit between automation tools and the products they are intended to integrate with. Data integrity tools (such as cryptographic checksums) may help in the detection of unauthorized changes to configuration settings, especially when managing virtualized assets. As an example of this, an organization may implement file integrity checks for virtualization platforms to be performed upon boot up and confirm that no unauthorized changes have occurred.

Related Practices · Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ASSET-3b, ASSET-3e.