Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Description

Information security configuration management is the process of establishing, documenting, and maintaining the security controls that are in place to protect an organization's information and systems. This Standard will define the scope and frequency of identification and remediation and is included in the NIST Configuration Management control group.

Scope

All Lehigh systems attached to Lehigh University networks or containing University data should adhere to the defined security configurations. Secure Basic and specific secure configurations will be maintained by LTS and be the responsibility of the … (Need to exclude student machines). System owners are responsible to ensure their systems are configured in appropriately. Technical personnel are responsible for understanding the configuration standards and applying them, and informing the System owner of any configuration gaps.

Security Requirements

NIST 800-171 compliance requires Lehigh to perform the following:

...

Item 1

...

Item 2

...

  • 3.4 Configuration Management

    • 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

    • 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems.

    • 3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

    • 3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

NIST 800-53

  • SA-22 - Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.

...

  • ePHI environments need to have a number of technical safeguards enabled. These safeguards are enumerated within applicable standards and should be collected within HIPAA compliance guidance documentation.

Implementation

Basic Configuration Standards

Basic configuration standards are broad guidelines that apply to all systems/technologies that are used by the University.

  • All systems must be in a supported state. Devices, computers, software that is EOL (end of life) and no longer receiving regular vendor security patches needs to should be upgraded or replaced. If this is not possible, systems will be isolated from the University computing environment. 

  • Default accounts and passwords shall be disabled or changed before placing the resource on the network. If you have a vendor installing devices on the network you should include this requirement in your statement of work. 

  • All systems shall be configured to provide the least functionality to meet the need, only essential capabilities should be enabled (i.e. restricting the use of unnecessary ports, protocols, or services).

  • Deploy antivirus and anti-malware solutions on all computers, including servers, desktops, and laptops , and mobile devices, to protect against malware and other threats. Systems must also run asset management, patch management, have encryption enabled, and other LTS required tools. 

  • LTS with will maintain guidelines for life cycle for standard equipment (switches, servers, workstations, etc) .

  • The CISO or designee may grant exceptions to the policy standard to avoid business interruptions, assuming mitigating controls can be put in place.

Specific Configuration Standards

Specific configuration standards are applied in specific situations (e.g. a secure research environment) or for specific categories of devices (e.g. network switches, windows systems). Specific Configurations Standards which are university-wide will be developed and maintained by LTS by the individuals or teams with the technical expertise required.

NIST 800-53 Rev 5.1.1 https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

NIST 800-171 Rev. 2 - https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

Definitions

System Owner - Responsible for an information system, including security. They may delegate technical responsibility to a Technical Owner

Technical OwnerPersonnel - Responsible for the operation, patching, maintenance and configuration of the information system.

Revision History

Date

Version

Description

Approval

1.0

Original Document

Draft

1.0.1

Revisions

Draft

1.1

Approved - CISO

Approved