UIS.203.3 Access Restrictions for Change Control Guidelines

In support of UIS.203 Configuration Management Policy

Georgetown University has adopted the configuration management principles established in NIST SP 800-171 “Configuration Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.

Access Restrictions for Change Control Requirements

The UIS system change control process incorporates the following: UIS is responsible for establishing University-wide baseline configurations.  

1. Only qualified and authorized individuals are provided access to information system components for purposes of initiating changes, including upgrades and modifications. 

2. Changes to end-user workstations are permitted only by authorized administrators. 

   • Local administrative privileges are only granted with University Information Security Office (UISO) approval through the UIS Service Management Support Team. 

3. Change Logs must be maintained to ensure that configuration change control is being implemented as intended and for supporting periodic audits by UISO in accordance with Information Security Audit Logging Policy.

4. Privileges to change information system components and system-related information within a production or operational environment must be limited to designated Change Manager to avoid unintended changes to other systems and business processes.

5. All change requests must align with the UIS Change Management Guidelines, which require receiving approvals from the Change Owner and the Change Control Coordinator before implementing any changes to systems, services, or networks. 

6. Access to operating system and operational or production application software/program libraries is restricted to designated staff only.