1 PURPOSEÂ
This standard establishes procedures and policies for configuration management of the Â̾ÞÈËÊÓƵ’s (Â̾ÞÈËÊÓƵ) information technology resources.Â
2 SCOPE
This standard applies to all Â̾ÞÈËÊÓƵ business and academic units and Â̾ÞÈËÊÓƵ-owned information systems that collect, store, process, share or transmit institutional data. Personally owned devices connecting to the University Campus Network must meet the Bring Your Own Device standard requirements.Â
3 STANDARDÂ
3.1Â INFORMATION SYSTEM COMPONENT INVENTORY
Secure configuration management requires an accurate, up-to-date inventory of information technology resources. ET&S teams configuring, installing, or deploying new Â̾ÞÈËÊÓƵ information technology resources shall develop and document an inventory of information system components that:
- Reflects the current information system accurately.
- Includes all components within the authorization boundary of the information system.
- Is at the level of granularity deemed necessary for tracking and reporting.
- Includes information considered necessary to achieve effective information system component accountability.
- Review and update the information system component inventory annually.
- Update the inventory of information system components as an integral part of component installations, removals, and information system updates.
3.2 CONFIGURATION MANAGEMENT PLAN
IT shall develop, document, and implement a configuration management plan for the information system that:Â
3.2.1 Addresses roles, responsibilities, and configuration management processes and procedures.Â
3.2.2 Establishes a process for identifying configuration items throughout the system development life cycle and managing the configuration items' configuration.Â
3.2.3 Defines the configuration items for the information system and places the configuration items under configuration management.Â
3.2.4 Protects the configuration management plan from unauthorized disclosure and modification.Â
3.3 BASELINE CONFIGURATION
A baseline configuration is the settings originally applied to the system to ensure it operates as intended. ET&S teams configuring, installing, or deploying new Â̾ÞÈËÊÓƵ information technology resources shall:
3.3.1Â Maintain secure configuration baselines for servers and endpoints throughout the system development life cycle (SDLC). Baseline configurations shall conform to industry best practices and may be created from pre-built configuration templates. Baseline configurations shall be updated periodically (with corresponding updates to change management logs and other pertinent documentation) as the system configurations change based on operational requirements and new security threats.Â
3.3.2Â The current and previous versions of configuration baselines must be stored in a secure location. At a minimum, one earlier version of a configuration baseline must be retained to support rollback and recovery. Validation and confirmation of configuration settings are strongly encouraged and may be done using automated tools.Â
3.3.3Â In all instances, the configuration baseline must be documented, reviewed, and updated at least annually and upon significant changes to information system functions, roles, or architecture.Â
3.4 CONFIGURATION CHANGE CONTROL
ET&S teams configuring, installing, or deploying new Â̾ÞÈËÊÓƵ information technology resources shall:
3.4.1 Determine and document the types of configuration-controlled physical and logical changes.Â
3.4.2 Analyze changes to the information system to determine potential security impacts before change implementation.Â
3.4.3 Coordinate and provide oversight for configuration change control activities through The Change Advisory Board (CAB), which convenes weekly or as needed.
- Approved controlled changes shall be documented and logged.Â
- Implement approved configuration-controlled changes to the information system.Â
- Retain records of configuration-controlled information system changes for at least two years.Â
- Audit and review activities associated with configuration-controlled changes to the information system.Â
3.4.4 The Change Advisory Board shall review proposed configuration-controlled changes and approve or deny such changes with explicit consideration for security impact. The CAB shall document controlled configuration change decisions and retain records for at least two years.
3.5 LEAST FUNCTIONALITY
ET&S teams configuring, installing, or deploying new Â̾ÞÈËÊÓƵ information technology resources shall:
3.5.1 Configure the information system to provide only essential capabilities.Â
3.5.2 Review the information system quarterly to identify unnecessary and/or non-secure functions, ports, protocols, and services.Â
3.5.3 Disable functions, ports, protocols, and services within the information system deemed unnecessary and/or non-secure.Â
3.5.4 Prevent program execution in accordance with policies regarding software program usage and restrictions and rules authorizing the terms and conditions of software program usage.Â
3.5.5 Identify software programs not authorized to execute on information systems.Â
3.5.6 Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system.Â
3.5.7 Review and update the list of unauthorized software programs annually.Â
3.6 SOFTWARE USAGE RESTRICTION
ET&S shall:
3.6.1 Use software and associated documentation in accordance with contract agreements and copyright laws.
3.6.2 Track the use of software and associated documentation protected by quantity licenses to control copying and distribution.
DOCUMENT HISTORY
- Approved by:Â Tom Nudd, Chief Information Security OfficerÂ
- Reviewed By:Â Dr. David A Yasenchock, Director, Cybersecurity GRCÂ
- Revision History: Â V 1.00 Dec 16, 2022, Cybersecurity GRC Working GroupÂ
- V1.1 April 23, 2024, Cybersecurity GRC Working GroupÂ
- May 30, 2025, K SWEENEY, Revised formatting