South Plains College
Information Services (SPC-IS)
Configuration Management Standard: I-E(a)
Purpose
To ensure that Information Technology (IT) resources are inventoried and configured
in compliance with South Plains College security policies, standards, and procedures.
Standard
This Standard applies to all departments and users of SPC technology resources and
assets.
- Baseline Configuration
SPC-IS Department Shall:
- Develop, document, and maintain, under configuration control, a current baseline configuration of information systems.
- Review and update the baseline configuration of the information system annually.
- Review and update the information system's baseline configuration when required due to security incidents and as an integral part of information system component installations and upgrades.
- Retain one previous version of baseline configurations of information systems to support rollback.
- Configuration Change Control
SPC-IS Department Shall:
- Determine the types of configuration-controlled changes to the information system.
- Review proposed configuration-controlled changes to the information system and approve or disapprove them, explicitly considering security impact analyses.
- Document configuration change decisions associated with the information system.
- Implement approved configuration-controlled changes to the information system.
- Retain records of configuration-controlled changes to the information system for five years.
- Audit and review activities associated with configuration-controlled changes to the information system.
- Test, validate, and document changes to the information system before implementing them in the operational system.
- Security Impact Analysis
SPC-IS Department Shall:
- Analyze changes to the information system to determine potential security impacts before change implementation.
- Access Restrictions for Change
SPC-IS Department Shall:
- Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.
- Configuration Settings
SPC-IS Department Shall:
- Establish and document configuration settings for information technology products employed within the information system that reflect the most restrictive mode consistent with operational requirements.
- Implement the configuration settings.
- Identify, document, and approve any deviations from established configuration settings.
- Monitor and control changes to the configuration settings per policies and procedures.
- Least Functionality
SPC-IS Department Shall:
- Configure the information system to provide only essential capabilities.
- Review the information system quarterly to identify unnecessary and insecure functions, ports, protocols, and services.
- Disable functions, ports, protocols, and services within the information system that are deemed unnecessary or insecure.
- Prevent program execution by policies regarding software program usage, restrictions, and rules authorizing the terms and conditions of software program usage.
- Identify software programs not authorized to execute on information systems.
- Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system.
- Review and update the list of unauthorized software programs annually.
- Information System Component Inventory
SPC-IS Department Shall:
- Develop and document an inventory of information system components that:
- Reflects the current information system accurately.
- Includes all components within the authorization boundary of the information system.
- Is at the level of granularity deemed necessary for tracking and reporting.
- Includes information deemed necessary to achieve effective information system component accountability.
- Review and update the information system component inventory Annually.
- Update the inventory of information system components as an integral part of component installations, removals, and information system updates.
- Employ automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system.
- Take the following actions when unauthorized components are detected:
- Disable network access by such components or
- Isolate the components and notify the Information Security Officer, the Chief Information Officer, and the system owner.
- Verify that all components within the information system's authorization boundary are not duplicated in other component inventories.
- Configuration Management Plan
SPC-IS Shall:
Develop, document, and implement a configuration management plan for the information system that:
- Addresses roles, responsibilities, and configuration management processes and procedures.
- Establish a process for identifying configuration items throughout the system development life cycle and managing their configuration.
- Defines the configuration items for the information system and places the configuration items under configuration management.
- Protects the configuration management plan from unauthorized disclosure and modification.
- Software Usage Restrictions
SPC-IS Department Shall:
- Use software and associated documentation per contract agreements and copyright laws.
- Track the use of software and associated documentation protected by quantity licenses to control copying and distribution.
- Control and document the use of peer-to-peer file-sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
- User-Installed Software
SPC-IS Department Shall:
- Establish policies governing the users' installation of software.
- Enforce software installation policies by controlling privileged access and blocking file execution using a policy applied by a directory service or application whitelisting.
- Monitor policy compliance Annually.
Compliance
This standard shall take effect upon publication. Compliance is expected with all enterprise policies and standards, which may be amended at any time.
If compliance with this standard is not feasible or technically possible, or if deviation from this policy is necessary to support a business function, entities shall request an exception through the Chief Information Security Officer’s exception process.
Standards Exceptions
Requests for exceptions to this policy shall be reviewed by the Information Security Officer (ISO) and the Chief Information Officer (CIO). Departments requesting exceptions shall make such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the IT Department, initiatives, actions, and a time frame for achieving the minimum compliance level with the policies set forth herein. The CIO shall review such requests and confer with the requesting department.
Related Documents
1 TAC § 202.74 (a)(2)
National Institute of Standards and Technology (NIST) Special Publication (SP): NIST SP 800-53a – Configuration Management (CM)
An index of approved SPC-IS policies can be found on the SPC Policies website at http://www.southplainscollege.edu/human_resources/policy_procedure/?%20. The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.
Texas Security Controls Standards Catalog Control Group: CM-1, SA-10, SI-2, SI-3
NIST Function Groups: PR.AC-1, PR.AC-4, PR.IP-1, PR.PT-1