IT Security Configuration Management Standard

I. Purpose

This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It establishes requirements for implementing and maintaining Configuration Management for IT Assets in order to minimize operational malfunctions, intrusions by external threats, exploitation of vulnerabilities, unauthorized data disclosures, and performance problems.

Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with this Standard or obtain an exception in accordance with the Request for Exception to IT Security Policy.

II. Definitions

Baseline Configuration – documented, formally reviewed and agreed-upon sets of specifications that ensure that IT Assets are properly configured and hardened to reduce vulnerabilities. Baselines must only be changed through proper change control.

Change Management – a critical discipline that controls and communicates the changes occurring in the IT environment.

Consolidated University Unit (CUU) – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.

Hardening – the process of securing an IT Asset’s configuration and settings to eliminate as many security risks as possible to reduce vulnerability and the possibility of being compromised. Hardening reduces an asset’s “surface of vulnerability”, which is larger when a system performs more functions; a single-function system is more secure than a multipurpose one. Reducing available ways of attack may include changing default passwords, removing unnecessary software, removing unnecessary usernames or logins, and disabling or removing unnecessary services.

Information Security Incident - a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.

IT Assets – technology resources including, but not limited to, computers, networks, servers, applications, databases, software, and operating systems that are owned by, managed by and/or sponsored by IT Asset Custodians.

Misconfiguration – an incorrect or suboptimal configuration of an information system or system component that may lead to vulnerabilities.

Security Configuration Management – the management and control of configurations for an information system with the goal of enabling security and managing risk. The process includes identifying, controlling, accounting for and auditing changes made to pre-established Baseline Configurations.

Full IT Glossary

III. Standard

FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.

Consolidated University Units (CUUs) are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.

Controls supporting this Standard include, but are not limited to:

NIST Cybersecurity Framework and Controls

Function Category Desired Outcome
Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. ID.AM-1: Physical devices and systems within the organization are inventoried
ID.AM-2: Software platforms and applications within the organization are inventoried
Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
PR.DS-7: The development and testing environment(s) are separate from the production environment
Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
PR.IP-3: Configuration change control processes are in place
Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
Detect (DE) Security Continuous Monitoring (DE.CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. DE.CM-1: The network is monitored to detect potential cybersecurity events
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed

Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.

Roles and Responsibilities

Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
IT Asset Custodian
An individual with responsibility for the configuration, implementation, management, monitoring, oversight, and day-to-day operations of university IT Assets. IT Assets include but are not limited to enterprise or distributed networks, computers, servers, workstations, IoT devices, applications, databases, operating systems, and firmware.

For more information, see IT Roles and Responsibilities.

Configuration Management

This Standard applies security-focused Configuration Management practices as they apply to IT Assets. For more information, see NIST Special Publication 800-128, Guide for Security-Focused Configuration Management of Information Systems.

The configuration of an IT Asset is a representation of the system’s components, how each component is configured, and how the components are connected or arranged to implement the asset. A misconfiguration may affect the security posture of the asset and the university’s infrastructure. The activities involved in managing the configuration process include planning, identification, establishment of the baseline configuration, change control, configuration monitoring and reporting.

CUU and University Unit ISMs are responsible for ensuring security configuration management within the units. They will provide support and oversight to CUU IT Asset Custodians to ensure proper configuration management of all CUU IT Assets.

IT Asset Custodians must inventory, document, monitor and manage IT Assets for which they are responsible. For each asset, the susceptibility to risk or exploit and the required level of protection required to comply with policies and standards must be determined. Risk level is determined by the IT Asset Custodian based on factors including, but not limited to:

  • the sensitivity and risk of harm to individuals or FSU if the IT Asset or High Risk/Moderate Risk data is subject to a breach or unauthorized disclosure. (For more information see Data Security Standard.)
  • failure or loss of availability of a critical business function.
  • loss of productivity or other negative impacts to resources.

IT Asset documentation and risk assessment information shall be made available to the CUU and University Unit ISMs and ISPO upon request.

Security Configuration Management Requirements

IT Asset Custodians must ensure that data is properly protected, and IT Assets are properly hardened, monitored, and managed from initial installation, through configuration, maintenance, and support, to end-of-life decommissioning according to Configuration Management controls.

Configuration Management Policy and Procedures
The CISO is responsible for establishing Configuration Management policies and standards that apply to enterprise and distributed IT Assets.

CUU and University Unit ISMs are responsible for ensuring appropriate configuration management within the CUU to ensure the FSU infrastructure is secure and resilient.

Configuration Management Plan
Each IT Asset Custodian must develop, document, and implement a Configuration Management Plan for IT Assets that:

  • addresses configuration management roles, responsibilities, standards, processes, and procedures.
  • establishes a process for identifying configuration items throughout the system development life cycle (SDLC), and ensures they align with established policies, standards, processes, and procedures.
  • protects the Configuration Management Plan from unauthorized disclosure and modification.

IT Asset Inventory
IT Asset Custodians are responsible for establishing and maintaining an accurate, detailed, and up-to-date inventory of all IT Assets and asset components (devices, applications, operating systems, networks, etc.) connected to the infrastructure (physically, virtually, remotely, within cloud environments, etc.). This includes relevant hardware/software/system specific component information such as CUU, Unit, IT Asset Custodian, location, manufacturer, device type, model, serial number, version number, machine name, hardware address and specifications, software license information, software version numbers, etc. For more information, see IT Asset Inventory Template.

IT Asset Custodians must maintain an inventory of IT Assets and IT Asset components:

  • Develop and document an inventory of IT Asset components that:
    • accurately reflects the current IT Assets for which the IT Asset Custodian is responsible
    • includes information necessary to achieve effective infrastructure component accountability and proper management, including requirements identified by the IT Vulnerability Management Standard.
    • is at the level of granularity deemed necessary for tracking and reporting.
  • Review and update the component inventory as an integral part of installation, removal, and updates. See Data Disposal and Media Sanitization Standard for disposal requirements.
  • Ensure that only currently supported and authorized IT Assets are connected to the infrastructure unless an exception is approved according to the Request for Exception to IT Policy.
  • Employ mechanisms to detect the presence of unauthorized hardware, software, and firmware. The IT Asset Custodian must take action when unauthorized components are detected, such as disabling network access for such components, isolating the components, or notifying authorized points of contact.

Baseline Configurations
Baselines are documented, formally reviewed and agreed-upon sets of specifications that ensure that IT Assets are properly configured and hardened to reduce vulnerabilities. Hardening includes removing superfluous programs, account functions, applications, ports, permissions, access, or other configuration changes to reduce attackers’ ability to gain unauthorized access to the IT environment. Types of hardening activities include application hardening, operating system hardening, server hardening, database hardening and network hardening.

Baseline configurations may also be used to create master configuration images (golden images), with required configuration settings already in place. An example of a golden image is a configuration with approved base operating system settings that can be rolled out to all virtual machines/workstations in the unit. Baseline configurations serve as a basis for future builds, releases, and changes to university systems, system components, and networks.

IT Asset Custodians are responsible for selecting and tailoring appropriate security control baselines for all IT Assets, based on the criticality and sensitivity of the information to be processed, stored, or transmitted by the system. The following are examples of organizations that provide industry-accepted Baseline configurations and checklists that comply with the legal requirements and FSU Standards, and may be used by units to establish required Baselines:

Other industry-accepted Baselines that meet the requirements of this Standard may also be selected.

Baseline configurations must be updated as needed to ensure system upgrades, patches or other significant changes are addressed according to compliance requirements identified by the IT Vulnerability Management Standard. Existing baseline configurations must be reviewed at least annually to ensure they are still applicable.

Configuration Change Control
Configuration change control is the documented process for managing and controlling changes to the configuration of a system. Configuration change control includes, but is not limited to:

  • changes to Baseline configurations for components and configuration items of IT Assets.
  • changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices).
  • unscheduled/unauthorized changes.
  • changes to remediate vulnerabilities. (See also IT Vulnerability Management Standard).

IT Asset Custodians must ensure proper configuration change control:

  • determine the types of changes to an information system or IT Asset that impact configuration.
  • review proposed configuration changes and approve or disapprove with explicit consideration for security impact analysis and document change decisions.
  • properly test, validate, and document planned changes prior to implementation of approved changes.
  • coordinate and provide oversight for change control activities through a change control entity that convenes regularly.
  • Retain previous configurations and records of changes for the life of the system or IT Asset to support audit, incident response and historical information.
  • audit and review activities associated with configuration changes to the information system or IT Asset, including audit logs and rollback procedures.

Security Impact Analysis
Each IT Asset Custodian must analyze planned changes to an information system or IT Asset to determine potential security impacts prior to change implementation. Security impact analysis may include reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Analyses are scaled in accordance with the security requirements of the IT Asset.

IT Asset Custodians must ensure proper testing of configuration changes. Whenever possible, changes should be tested in a separate environment which is physically or logically isolated from the operational environment. After implementation, implemented changes must be verified to ensure that functions are implemented correctly, operating as intended, and producing the desired outcome to meet the security requirements of the system.

Access Restrictions for Change
IT Asset Custodians must define, document, approve, and enforce physical and logical access restrictions associated with changes to an information system or IT Asset. Only qualified and authorized individuals are provided access to information system components for purposes of initiating changes, including upgrades and modifications. Audit trails or change logs must be maintained to ensure that configuration change control is being implemented as intended and to support periodic audits.

Configuration Settings
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters include registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for IT Assets. The established settings become part of the configuration Baseline.

Each IT Asset Custodian must maintain appropriate configuration settings:

  • establish, document, and implement configuration settings for information technology products employed within the information system, that reflect the most restrictive mode consistent with operational requirements.
  • identify, document, and approve any deviations from established configuration settings.
  • monitor and control changes to configuration settings in accordance with policies and standards.

Least Functionality
The principle of least functionality provides that information systems and IT Assets are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that asset.

IT Asset Custodians must ensure IT Assets are configured to restrict access through least functionality:

  • configure IT Assets to provide only essential capabilities with respect to their relative security. At least annually, review the use of functions, ports, protocols, and services. Identify and disable or eliminate those deemed unnecessary, unused or detrimental to the system or business.
  • identify and remove/disable unauthorized and/or non-secure functions, ports, protocols, services, and applications.
  • limit component functionality to a single function per device (e.g. database server, web server, etc.), where feasible.
  • When a device with elevated security controls is used to access IT Assets in locations deemed to be high risk, predefined security safeguards should be applied prior to joining it to the production network.

Software Usage Restrictions
Each IT Asset Custodian must ensure proper management of software:

  • use software (and associated documentation) in accordance with contractual agreements and copyright laws; and track the use of software protected for quantity licenses.
  • strictly prohibit the use of peer-to-peer file sharing technology.
  • establish, monitor, and enforce policies, standards and compliance governing the installation of software by end users.
  • establish restrictions on the use of open-source software (OSS).

CUU and User-installed Software
To maintain control over the types of software installed, IT Asset Custodians must identify permitted and prohibited actions regarding software installation. Permitted software installations may include updates and security patches to existing software and downloading applications from organization-approved "app stores." Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. User-installed software must require privileged status.

Incident Reporting

Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the IT Incident Response Standard for more information.

IV. References

Back to Top | Back to Standards