Profile Applicability:
Level 1
Description:
Deployments of applications and infrastructure should be automated using tools such as CI/CD pipelines, deployment scripts, or orchestration platforms. Automated deployments reduce manual errors, ensure consistency, and speed up release cycles by enabling repeatable and reliable delivery of software changes.
Rationale:
Manual deployment processes are prone to human error, inconsistency, and delays, which can lead to system downtime or security vulnerabilities. Automation enforces standardized deployment steps, improves traceability, supports rollback capabilities, and enhances overall operational efficiency and security.
Impact:
Pros:
Reduces deployment errors and inconsistencies.
Accelerates release cycles and time to market.
Enables repeatable and auditable deployments.
Supports rapid rollback in case of issues.
Cons:
Requires investment in tooling and setup.
May require training for teams to adopt automation.
Default value:
Deployments are often done manually or semi-automated, leading to potential errors and inconsistencies.
Audit:
Review deployment procedures to confirm the use of automation tools and pipelines. Verify that deployments are executed through automated workflows rather than manual intervention.
Remediation:
Implement CI/CD pipelines and deployment automation tools. Define standard deployment scripts and templates. Provide training and enforce policies requiring automated deployments.
References:
Continuous Delivery Foundation - Best Practices: https://cd.foundation/
Jenkins Documentation: https://www.jenkins.io/doc/
CIS Controls v8, Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/