Publication Summary

Title	Configuration Management Policy
Author(s)	Alessandro Cardinali
Issued by	CEO
Version doc. Review freq.	0.1 Yearly
Date of issue	December 11, 2023
Owner	Alessandro Cardinali
Document status	Draft – Final Draft - Final
Approval Date	n/a
Classification	Internal

Change Log

Version	Date	Author	Comments
0.1	December 11, 2023		First draft document
1.0	December 20, 2023

Contents

1 Introduction 8

2 Configuration management policy 9

Introduction

Soon Technologies B.V. uses a wide variety of components in creating and running its ICT infrastructure and end-user devices. These consist of hardware, software, cloud services and networks and all are potentially vulnerable to attack from threats from different sources. In order to lessen the risk of these components becoming compromised, it is important that we identify the most appropriate ways of configuring them and then ensure that these methods are used throughout our ICT landscape.

This policy describes the main principles on which such standard configurations must be based and sets out the rules for their use.

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Soon Technologies B.V. systems.

The following policies and procedures are relevant to this document:

• Information Security Policy

• Mobile Device Policy

• Network Security Policy

• Cloud Services Policy

• Configuration Management Process

• Change Management Process

Configuration management policy

New components that make up Soon Technologies B.V. hardware, software, services and networks must have their required security settings defined and correctly configured prior to their implementation within our ICT environment.

Configurations of existing components must be reviewed periodically to ensure they meet the requirements of this policy.

Such components will include, but are not limited to:

• Endpoint devices, such as desktops, laptops, mobile phones and tablets

• Physical network devices, such as routers, switches and firewalls

• Physical servers, including system software such as operating systems, databases and web servers

• Cloud infrastructure, such as virtual servers, networks and storage

Where possible, standard templates will be used to document the required configuration of ICT components. These templates will be subject to change and version control.

The configurations defined will take appropriate account of available sources of information about securing the relevant components, such as vendor templates, guidance from cyber security authorities and best practice organizations, system hardening guides and our own information security policies.

Details of configuration standards will be protected as sensitive information which would be of use to an attacker.

Configuration standards must be reviewed on a regular basis and kept up to date with changes in the components themselves (such as new hardware or software versions) and the threats and vulnerabilities they face.

The correct configuration of components will be monitored and instances where existing settings deviate from the established standard will be investigated and, if necessary, corrected.

Where feasible, automated software methods such as Infrastructure as Code (IaC) will be used to create components with the correct configuration. Automated audit tools may also be used to check configurations regularly and report on and correct those found to be noncompliant.