UIS.203.1 Baseline Configuration Guidelines
In support of UIS.203 Configuration Management Policy
Georgetown University has adopted the configuration management principles established in NIST SP 800-171 “Configuration Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.
Baseline configurations are documented, formally reviewed, and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to University systems, system components, and networks.
Baseline Configuration Requirements
UIS is responsible for establishing University-wide baseline configurations.
An updated baseline configuration must be developed, reviewed, approved, documented, and maintained under configuration control for each information system on a regular schedule.
A baseline configuration documents and provides information about the components of the system including:
Standard operating system/installed applications with current version numbers
Standard software load for workstations, servers, network components, and mobile devices and laptops
Up-to-date patch level information
Network topology/Information system owner
Logical placement of the component within the system and enterprise architecture, as applicable
UIS ensures that the baseline configuration of an information system is consistent with university-wide enterprise architecture. Security additions may be added to the baseline, but cannot be removed without approval by the Chief Information Security Officer (CISO).
Systems must be kept up-to-date by applying the latest security patches in accordance with the Patch Management Policy.
UIS is responsible for the patch compliance of laptops and workstations
System owners are responsible for the patch compliance of servers and departmental systems
- UIS utilizes best-practice system hardening baselines for the operating systems. Approved baselines are set in accordance with the principle of least functionality.
- UIS will document any exceptions to baseline security configurations and obtain approval by the CISO.
UIS will retain previous versions of baseline configurations of the information system to support rollback (i.e. hardware, software, firmware, configuration files, and configuration records).
Baseline configurations are available for inspection as required.
The UIS Image Governance Group will be responsible for reviewing and updating the baseline configuration for University servers and workstations:
When required due to system upgrades, patches, or other significant changes have occurred in the baseline configuration
As an integral part of information system component installations and upgrades
When an increase in interconnection with other systems outside the authorization boundary or significant changes in the security requirements for the system.