Skip to main content

CM-1 Configuration Management Policy and Procedures

Description

The purpose of the Texas A&M University configuration management procedures is to:

  1. Describe the requirements for configuring a new platform (e.g., server) in a secure fashion
  2. Maintain the appropriate security of the platform and application software, and
  3. Provide guidance for applying and maintaining appropriate security measures for all platforms that process Critical, Confidential or University-Internal data.

Applicability

  • The intended audience includes, but is not limited to, custodians and/or owners of an information resource.

Implementation

  • 1 - Custodians of information resources shall ensure that vendor supplied security patches are routinely acquired, systematically tested prior to implementation where practical, and installed promptly.

    • 1.1 - Security patches categorized as "critical" by the vendor must be installed within 30 days of release.
    • 1.2 - Security patches categorized as "high" by the vendor must be installed within 45 days of release.
    • 1.3 - Other security patches must be installed within 60 days of release.

  • 2 - Custodians of information resources shall remove unnecessary software, system services, and drivers.

  • 3 - Custodians of information resources shall enable recommended security features included in vendor-supplied systems including, but not limited to, firewalls, virus scanning and malicious code protections, and other file protections.

  • 4 - Custodians of information resources shall disable or change the password of default accounts before placing the resource on the network.