UMGC Policy X-1.08 UMGC Policy on IT Resources Configuration Management

Purpose

The purpose of this Policy is to establish Information Security standards for the configuration management processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

Scope and Applicability

This Policy applies to all University Information Systems and Information Technology Resources. Information System Stewards and Technical System Leads are responsible for adhering to this Policy.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

Configuration Management

Information System Stewards or Technical System Leads should adhere to this Policy when configuring and managing University Information Technology Resources to prevent unauthorized changes from being made.

1. Baseline Configurations and inventories of University Information Systems throughout the respective system development life cycles should be established, documented, and maintained.
2. Information System Stewards must employ the principle of Least Functionality by configuring University Information Systems to provide only essential capabilities.
3. User-Installed software must be controlled and monitored. The Information System Steward must ensure that all software end user licensing agreements (EULA) are reviewed and approved by the UMGC Procurement team prior to deployment on a University device.
4. Security Configuration Settings for Information Technology Resources employed in University Information Systems must be established and enforced. Information System Stewards should document the Security-related configuration settings and apply them to all systems once tested and approved.
5. Changes to University Information Systems must be tracked, reviewed, approved or disapproved, and logged. Configuration change control for Information Systems should involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications.
6. The security impact of changes should be analyzed prior to implementation and a plan established to ensure the ability to reverse a deployment or implementation.
7. Physical and logical access restrictions associated with changes to University Information Systems should be defined, documented, approved, and enforced. Control of configuration management activities may involve:
   1. Logical access control which prevents unauthorized Users from logging onto an Information System to make configuration changes (e.g., requiring specific credentials for modifying configuration settings, patching software, or updating software libraries),
   2. Workflow automation in which configuration management workflow rules define human tasks and data or files are routed between people authorized to do configuration management based on pre-defined business rules (e.g., passing an electronic form to a manager requesting approval of configuration change made by an authorized Employee),
   3. An abstraction layer for configuration management that requires changes be made from an external system through constrained interface (e.g., software updates can only be made from a patch management system with a specific IP address), and/or
   4. Utilization of a configuration management change window.
8. Nonessential programs, functions, ports, protocols, and services should be restricted, disabled, or prevented.
   1. All unnecessary programs and accounts are removed from all endpoints and servers.
   2. The University should apply deny-by-exception (Blacklisting) or permit-by-exception (Whitelisting) technical control policies on all Information Systems.  
   3. The University restricts the use of all unnecessary ports, protocols, and system services in order to limit entry points that attackers can use.

Exceptions

Exceptions to this Policy should be submitted to Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

1. Most recent versions:
   1. USM IT Security Standards
   2. NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
   3. Cybersecurity Maturity Model Certification (CMMC)

1. UMGC Information Governance, Security, and Technology Policies