South Plains College
Information Services (SPC-IS)
Secure Configuration Standard: I-E(c)
Purpose and Benefits
This standard establishes baseline configurations for SPC's information systems. Effective implementation will maximize security and minimize the potential risk of unauthorized access to information and technology.
Scope
This standard applies to all information systems owned and operated by or operated on behalf of SPC. Lab systems, such as those used in CIS labs, may require special consideration; however, this standard must be applied unless doing so inhibits the core functions of these systems or is otherwise not technically feasible.
Information Statement
Standard secure configuration profiles, based on any one or more of the industry consensus guidelines listed below, must be used in addition to the latest vendor security guidance. Alterations to the profile must be based on business need, policy, or standard compliance, developed in consultation with the Information Security Officer/designated security representative, documented, and retained for audit purposes.
Industry Consensus Guidelines
- Center for Internet Security (CIS) Benchmarks
- National Institute of Science and Technology (NIST) National Checklist Program
- United States Government Configuration Baselines (USGCB)
The initial setup, software installation, and security configuration of new systems must be performed in a secure environment isolated from other operational systems with minimal communication protocols enabled.
Changes to configurations are formally identified, proposed, reviewed, analyzed for security impact, tested, and approved before implementation per the change management procedures. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to information systems and the associated security ramifications.
Entities must maintain configuration management plans that comply with the SPC Configuration Management Standard: I-E(a). Configuration management plans are typically developed during the development/acquisition phase of the secure system development life cycle.
A configuration monitoring process must be in place to identify undiscovered or undocumented system components, misconfigurations, vulnerabilities, and unauthorized changes.
Compliance
This standard shall take effect upon publication. Compliance with all enterprise policies and standards is expected, and policies and standards may be amended at any time.
If compliance with this standard is not feasible or technically possible, or if deviation from this standard is necessary to support a business function, entities shall request an exception through the Information Security Officer’s exception process.
Related Documents
1 TAC § 202.74 (a)(2)
Texas Security Controls Standards Catalog Control Group: CM-6, RA-5, SA-5, SA-10
NIST Function Groups: PR.AC-1, PR.AC-4, PR.DS-3, PR.IP-1, PR.PT-1