UIS.203 Configuration Management Policy

200. Information Systems Security

Purpose 

Georgetown University Information Services has developed and implemented the Configuration Management Policy and procedures to ensure that secure computer systems and networks are available to accomplish the University’s mission of teaching, research, and service. Directed by the Chief Information Security Officer (CISO), these policies set the information security standards which maximize the confidentiality, integrity, and availability of the University’s distributed information technology assets, systems, networks, and data. 

Scope 

The Configuration Management policy and supporting requirements apply to all information technology assets, systems, networks, and data hosts that are owned by, managed by and/or sponsored by Georgetown. This policy is also applicable to the faculty, staff, researchers, affiliates, suppliers, and students who own, operate, or maintain these systems for University business, academia, and research. 

Policy 

Georgetown University has adopted the configuration management principles established in NIST SP 800-171 “Configuration Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.

The configuration management policy is to ensure that the University technology systems abide by a baseline configuration and have a consistent minimum security standard in place to prevent any intrusion by external threats, exploitation of vulnerabilities, unauthorized data disclosures, and performance problems and flaws. 

Any hardware asset that is in operation to collect, transmit, process, store or host University data must be inventoried and managed to ensure that it is not susceptible to unauthorized access, distribution, or misuse. The higher the value of the asset to the University, or the more it is viewed to be susceptible to risk or exploit, the higher the level of protection required for its management. 

All servers and end-user workstations that are in operation to collect, transmit, process, store or host University data must be formatted and configured using the authorized protocols, controls and settings sufficient to safeguard the University’s systems and their associated data.

Failure to protect University information systems, hardware, and its networks against threats and substandard configurations can result in the loss of data integrity, unavailability of data, and/or unauthorized use of data or information systems of which University departments are considered the owner.