CM-1 Configuration Management Policy and Procedures
Description
The purpose of the Texas A&M University configuration management procedures is to:
- Describe the requirements for configuring a new platform (e.g., server) in a secure fashion
- Maintain the appropriate security of the platform and application software, and
- Provide guidance for applying and maintaining appropriate security measures for all platforms that process Critical, Confidential or University-Internal data.
Applicability
- The intended audience includes, but is not limited to, custodians and/or owners of an information resource.
Implementation
-
1 - Custodians of information resources shall ensure that vendor supplied security patches are routinely acquired, systematically tested prior to implementation where practical, and installed promptly.
- 1.1 - Security patches categorized as "critical" by the vendor must be installed within 30 days of release.
- 1.2 - Security patches categorized as "high" by the vendor must be installed within 45 days of release.
- 1.3 - Other security patches must be installed within 60 days of release.
-
2 - Custodians of information resources shall remove unnecessary software, system services, and drivers.
-
3 - Custodians of information resources shall enable recommended security features included in vendor-supplied systems including, but not limited to, firewalls, virus scanning and malicious code protections, and other file protections.
-
4 - Custodians of information resources shall disable or change the password of default accounts before placing the resource on the network.