Georgetown University has adopted the configuration management principles established in NIST SP 800-171 “Configuration Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework. 

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system.  

Configuration Settings Requirements

  1. A standard set of mandatory configuration settings must be established and documented for information technology assets and networks. These configuration settings must be current and available for regular review and audit.
     

  2. The system and network configuration settings, whether University standard or custom designed, must reflect the most restrictive mode consistent with operational requirements and must adhere to the University security frameworks. Rights and privileges to make changes to the systems and networks are managed and controlled by the UIS Elevated Privileges Management Policy.
     

  3. Any deviations from established configuration settings for information systems must be identified, documented, and submitted for approval by the University Change Control Board, as outlined in the Configuration Change Control Guidelines.
     

  4. Changes to the configuration settings are monitored and controlled in accordance with the Configuration Management Policy.