The configuration of an information system and its components has a direct impact on the security posture of the system. How those configurations are established and maintained requires a disciplined approach for providing adequate security. Changes to the configuration of an information system are often needed to stay up to date with changing business functions and services, and information security needs. These changes can adversely impact the previously established security posture; therefore, effective configuration management is vital to the establishment and maintenance of security of information and the information system. The security-focused configuration management process is critical to maintaining a secure state under normal operations, contingency recovery operations, and reconstitution to normal operations.
Security Configuration Management (SCM) is the management and control of secure configurations for an information system to enable security and facilitate the management of risk. SCM builds on the general concepts, processes, and activities of configuration management by attention on the implementation and maintenance of the established security requirements of the organization and information systems.