Configuration Management Policy

Purpose

The purpose of this policy is to ensure that the University IT Resources adhere to a standard configuration and have a minimum security standard in place to prevent any unauthorized access or data disclosures, exploitation, performance problems, or vulnerabilities and ensure a consistent, secure configuration across all technology.

Scope

This IT policy, and all policies referenced herein, shall apply to the following members of the University community: faculty, administrative officials, staff, authorized guests, delegates, and independent contractors (the "User(s)" or "you") who use, access, or otherwise employ, locally or remotely, the University's IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

• The Office of Information Technology must follow the agreed upon NIST's Cybersecurity Framework (NIST CSF).
• System administrator(s) and application or system owner(s) must adhere to the hardening guidelines the Office of Information Technology has identified, which are aligned with Center for Internet Security (CIS) Benchmarks^1.
  • Documentation must be maintained in the ReposITory.
  • The operating systems, applications, databases, and services must follow the documented hardening guidelines as implemented and agreed to by DevOps and Information Security and Assurance (ISA).
• IT Resources that collect, transmit, process, store, or host Fordham Protected or Sensitive Data must be:
  • Configured according to the applicable CIS Benchmarks,
  • Managed and inventoried, and
  • Secure from unauthorized access, distribution, or misuse.
• All servers and workstations that collect, transmit, process, store, or host Fordham Protected or Sensitive Data must be configured using the authorized protocols, controls, and settings outlined in the requisite CIS Benchmark document as implemented and agreed to by DevOps and Information Security and Assurance (ISA).
• IT configuration standards must be enabled on IT Resources to meet industry, federal, and regulatory requirements (e.g., port configurations on PCI networks for Payment Card Industry Data Security Standard (PCI DSS)).
• System administrator(s) and application or system owner(s) must document the CIS Benchmark configuration standards in collaboration with ISA for all IT Resources, including any deviations. The documentation must:
  • Include the CIS Benchmark version to which the IT Resource is built and configured and note any deviations,
  • Meet the security standards approved by ISA and DevOps.
  • Specify information about the components of the IT Resources, including, but not limited to:
    • Operating system or installed applications with current version numbers,
    • Installed software and its configuration on workstations, servers, network devices, and
    • Current network configurations, if applicable.
• Baseline configurations should be reviewed and updated:
  • Annually,
  • During system upgrades, patches, or other significant changes, or
  • During new system/application installations and upgrades.

¹ Consensus-developed secure configuration guidelines for hardening operating systems, servers, and cloud environments.

Definitions

IT Resources include computing, networking, communications, applications, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.

Related Policies and Procedures

• Acceptable Use of IT Infrastructure and Resources Policy
• Data Classification Guidelines
• Systems Hardening Policy

Implementation Information

Revision History

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.