Georgetown University has adopted the configuration management principles established in NIST SP 800-171 “Configuration Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.

Baseline configurations are documented, formally reviewed, and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to University systems, system components, and networks. 

Baseline Configuration Requirements

  1. UIS is responsible for establishing University-wide baseline configurations.  
     

  2. An updated baseline configuration must be developed, reviewed, approved, documented, and maintained under configuration control for each information system on a regular schedule. 
     

  3. A baseline configuration documents and provides information about the components of the system including: 

    • Standard operating system/installed applications with current version numbers 

    • Standard software load for workstations, servers, network components, and mobile devices and laptops 

    • Configuration settings/parameters 

    • Up-to-date patch level information 

    • Network topology/Information system owner 

    • Logical placement of the component within the system and enterprise architecture, as applicable
        

  4. UIS ensures that the baseline configuration of an information system is consistent with  university-wide enterprise architecture. Security additions may be added to the baseline, but cannot be removed without approval by the Chief Information Security Officer (CISO).
     

  5. Systems must be kept up-to-date by applying the latest security patches in accordance with the Patch Management Policy.

    • UIS is responsible for the patch compliance of laptops and workstations 

    • System owners are responsible for the patch compliance of servers and departmental systems  

  6. UIS utilizes best-practice system hardening baselines for the operating systems. Approved baselines are set in accordance with the principle of least functionality.
    • UIS will document any exceptions to baseline security configurations and obtain approval by the CISO. 
       
  7. UIS will retain previous versions of baseline configurations of the information system to support rollback (i.e. hardware, software, firmware, configuration files, and configuration records).
     

  8. Baseline configurations are available for inspection as required.
     

  9. The UIS Image Governance Group will be responsible for reviewing and updating the baseline configuration for University servers and workstations:

    • When required due to system upgrades, patches, or other significant changes have occurred in the baseline configuration 

    • As an integral part of information system component installations and upgrades 

    • When an increase in interconnection with other systems outside the authorization boundary or significant changes in the security requirements for the system.