UIS.203.7 Least Functionality Guidelines

In support of UIS.203 Configuration Management Policy

Georgetown University has adopted the configuration management principles established in NIST SP 800-171 “Configuration Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.

The principle of least functionality provides that information systems are configured  to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that information system. 

Least Functionality Requirements

  1. Configure information systems to provide only essential capabilities and specifically prohibit or restrict the use of functions, ports, protocols, and/or services that are not required for the business function of the information system.

  2. Limit component functionality to a single function per device (e.g. database server, web server, etc.), where feasible. 

  3. Access to University information systems is granted and managed by the user role and business function. 

  4. Disable any functions, ports, protocols, and services within an information system that are deemed to be unnecessary and/or non-secure, in accordance Restricted List of Ports, Protocols, and/or Services.  

  5. Identify and remove/disable unauthorized and/or non-secure functions, ports, protocols, services, and applications.

  6. Prevent program execution regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.