Information Systems Configuration Management
Blinn College Administrative Regulations Manual
Subject: Information Systems Configuration Management
Effective Date: March 1, 2020; amended September 19, 2023
Board Policy Reference: CS
Purpose
Establish procedures and policies for configuration management of information processing platforms and software.
Process
Configuration Management (CM-01)
The College District establishes the process for controlling modifications to hardware, software, firmware, and documentation to ensure the information resources are protected against improper modification before, during, and after system implementation.
Information resource owners must ensure vendor supplied security patches are routinely acquired, tested and installed. Security patches must be installed within the risk-based timelines defined in the vulnerability remediation timeline departmental procedure.
Remediation timeline based on risk ranking currently summarized as:
- High Risk with critical severity actively exploited vulnerabilities – patch/mitigate within 5 business days
- High Risk – patch/mitigate within 30 days
- Medium Risk – patch/mitigate within 60 days
- Low Risk – patch/mitigate within 180 days
Information resource owners must enable recommended security features included in vendor supplied systems and must disable or change the password of default accounts before placing the system into use or placing it on the network.
Baseline Configuration (CM-02)
The College District establishes baseline configuration of information resources to ensure changes to information resources are executed consistently in the production environment.
The information resource owner must develop baseline configurations of information resources. Configuration settings must be documented so they can be repeatable. Desktop and server operating systems must use golden images of reviewed and accepted configurations. The desktop and server operating systems must also have configured and operating anti-virus/malware software and additional system analytic software based on risk factors as approved by the CISO and information resource owner.
Change Configuration Control (CM-03)
The Change Review Board (CRB) must meet regularly to review upcoming and completed changes. The CRB is minimally composed of the CISO, director of administrative computing, dean of academic technology, managers of enterprise, client, network, security and service desk departments. Others can serve at the discretion of the CISO, director of Administrative Computing, and dean of Academic Technology.
Change Requests Procedures
A change request is initiated when an operational change is needed to be applied to the current technology. Particular categories though not all inclusive include:
- Software and hardware patches
- Installing new versions of software
- New software and hardware installation
- Software configuration changes
- Changes involving a system restart
- Changes deployed to multiple client systems
- Changes impacting client access to a system
Roles
Change Initiators – Owner of the change. Responsible for completing the change form, monitoring assessors, approving assignments, and updating status. Initiators should begin the process at least one week before the desired implementation date.
Assessor – Provides notification and awareness of the change. Evaluates impact, applies business and technical risk, and provides comments within 2–3 days of assignment.
Approver – Provides final approval for the change. Reviews assessor comments, ensures concerns are addressed, and confirms readiness prior to approval.
Change Form Components
- Client ID
- Change type (Normal, Standard, Comprehensive, Emergency)
- Reason for change
- Proposed start and end dates
- Actual end date
- Review date
- Detailed change description
- Risk and impact assessment
- Implementation plan
- Acceptance criteria
- Back-out plan
- Implementer notes
- Review comments and final disposition rating
Security Impact Analysis (CM-04)
All security-related information resource changes must be approved through the change control process prior to implementation. Post-implementation security scans must confirm changes.
Access Restrictions for Change (CM-05)
Only authorized employees or vendors may implement changes. Role-based access groups restrict change-level permissions.
Configuration Settings (CM-06)
- Mandatory configuration settings
- Most restrictive settings consistent with operational needs
- Documented configuration settings
- Enforced settings across all system components
Least Functionality (CM-07)
Information systems are configured to provide only essential capabilities by disabling or removing unnecessary applications and settings.
Information System Component Inventory (CM-08)
The College District maintains a current inventory of information system components and ownership, including acquisition, installation, repair, and disposal records.
Software Usage Restrictions (CM-10)
- Use software in accordance with license and copyright laws
- Track quantity-licensed software
- Control peer-to-peer file sharing
User Installed Software (CM-11)
Academic Technology and Administrative Computing authorize and install software on College District systems. All installed software must be appropriately licensed and documented.