South Plains College

Information Services (SPC-IS)

 

Secure Configuration Standard: I-E(c)

Purpose and Benefits

This standard establishes baseline configurations for SPC's information systems. Effective implementation will maximize security and minimize the potential risk of unauthorized access to information and technology.

Scope

This standard applies to all information systems owned and operated by or operated on behalf of SPC. Lab systems, such as those used in CIS labs, may require special consideration; however, this standard must be applied unless doing so inhibits the core functions of these systems or is otherwise not technically feasible.

Information Statement

Standard secure configuration profiles, based on any one or more of the industry consensus guidelines listed below, must be used in addition to the latest vendor security guidance. Alterations to the profile must be based on business need, policy, or standard compliance, developed in consultation with the Information Security Officer/designated security representative, documented, and retained for audit purposes.

Industry Consensus Guidelines

The initial setup, software installation, and security configuration of new systems must be performed in a secure environment isolated from other operational systems with minimal communication protocols enabled.

Changes to configurations are formally identified, proposed, reviewed, analyzed for security impact, tested, and approved before implementation per the change management procedures. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to information systems and the associated security ramifications.

Entities must maintain configuration management plans that comply with the SPC Configuration Management Standard: I-E(a). Configuration management plans are typically developed during the development/acquisition phase of the secure system development life cycle.

A configuration monitoring process must be in place to identify undiscovered or undocumented system components, misconfigurations, vulnerabilities, and unauthorized changes.

Compliance

This standard shall take effect upon publication. Compliance with all enterprise policies and standards is expected, and policies and standards may be amended at any time.

If compliance with this standard is not feasible or technically possible, or if deviation from this standard is necessary to support a business function, entities shall request an exception through the Information Security Officer’s exception process.

Related Documents

1 TAC § 202.74 (a)(2)

 

National Institute of Standards and Technology (NIST) 800-128, Guide for Security-Focused Configuration Management of Information Systems

 

Texas Security Controls Standards Catalog Control Group: CM-6, RA-5, SA-5, SA-10

NIST Function Groups: PR.AC-1, PR.AC-4, PR.DS-3, PR.IP-1, PR.PT-1