Secure Configuration of Assets Policy


University Faculty, Staff, and Students require secure computer systems and networks to accomplish the University’s mission of teaching, research, and service; therefore the University Information Security Office (UISO) employs measures to protect the security of its systems, networks, and accounts. Directed by the Chief Information Security Officer (CISO), the policies set the information security standards which maximize the confidentiality, integrity, and availability of the University’s distributed information technology assets, systems, networks, and data.


The Configuration Management policy and supporting requirements apply to all information technology assets, systems, networks, website content and data that are owned by, managed by and/or sponsored by Georgetown; as well as the Faculty, Staff, Researchers, Affiliates, Suppliers, and students who own, operate, or maintain these systems for University Business.


This document provides requirements for the configuration management process which is required to assure that information systems are designed and configured using controls sufficient to safeguard the University’s information systems and data. Failure to protect network infrastructures against threats can result in the loss of data integrity, unavailability of data, and/or unauthorized use of data or information systems of which University departments are considered the owner. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.

The University has adopted the Configuration Management principles established in The Center for Internet Security (CIS) Control #5 and in the National Institute of Standards and Technology (NIST) SP 800-53 Rev 4 “Configuration Management” control guidelines as the official policy for this security domain.  

Related Security Framework: 

NIST SP 800-53 Rev4: CM-1 | CIS 5

Supporting Documents
  • Responsibilities Glossary
  • Baseline Configuration Guidelines (CM-2)
  • Configuration Change Control Guidelines (CM-3)
  • Security Impact Analysis Guidelines (CM-4)
  • Access Restrictions for Change Guidelines (CM-5)
  • Configuration Settings Guidelines (CM-6)
  • Least Functionality Guidelines (CM-7)
  • Information System Component Inventory Guidelines (CM-8)
  • Configuration Management Plan Guidelines (CM-9)
  • Software Usage Restrictions Guidelines (CM-10)
  • User-Installed Software Data Guidelines (CM-11)