Skip to main content

CM - Configuration Management

(CM-1) Configuration Management Policy and Procedures

The purpose of the Texas A&M University configuration management procedures is to:

  1. Describe the requirements for configuring a new platform (e.g., server) in a secure fashion
  2. Maintain the appropriate security of the platform and application software, and
  3. Provide guidance for applying and maintaining appropriate security measures for all platforms that process Critical, Confidential or University-Internal data.

(CM-2) Baseline Configuration

The university establishes baseline configuration of information resources to ensure changes to information resources are executed consistently in the production environment.

(CM-3) Configuration Change Control

This Control addresses how changes are controlled, implemented and documented in an orderly manner. A change may include:

  • Any implementation of new functionality;
  • Any interruption of service;
  • Any repair of existing functionality; or
  • Any removal of existing functionality.

Proper application of change management minimizes unwanted reductions in security and provides an accurate record of changes and associated supporting documentation that is useful when planning future changes.

(CM-4) Security Impact Analysis

Changes to the configuration of information systems must be analyzed to determine potential security impacts.

(CM-5) Access Restrictions for Change

This Control addresses how access to information resources is controlled and documented, particularly related to changes to those resources. Changes to information resource configurations should only be completed by authorized staff.

(CM-6) Configuration Settings

The university establishes configuration settings for information resources to ensure they operate as expected.

(CM-7) Least Functionality

The university applies the concept of least functionality when providing access to information resources.

(CM-8) Information System Component Inventory

The university has an inventory of information resource components and a process to keep the information current.

(CM-10) Software Usage Restrictions

The university has procedures and processes to ensure software license agreements are tracked.

(CM-11) User Installed Software

This Control is intended to inform University computer users of the rules for authorized software on Texas A&M University information resources. Authorized software, also called licensed software, is any software acceptable for use within the University system. Software licensed for use at Texas A&M University has end-user license agreements which inform faculty, staff, and students of their responsibilities as end users regarding authorized use of the software. This procedure is intended to inform University computer users of the requirements for authorized software on Texas A&M University information resources. Non-compliance with copyright laws regarding software is subject to significant civil and criminal penalties imposed by federal and state laws. These penalties are applicable to the University and/or an individual. Violation of this Control is subject to University disciplinary action as well.