The new version of MAC OS X, 10.10 (Yosemite) is expected to be released today, Thursday October 16th, and is currently incompatible with the ClearPass registration system and potentially other services at Rowan.

University Policies

University Policies

Page tree

ROWAN UNIVERSITY POLICY


Title: Information System Configuration Management Policy
Subject: Information Security 
Policy No: ISO: 2024:02
Applies: University-Wide
Issuing Authority: Senior Vice President for Information Resources and Technology and Chief Information Officer
Responsible Officer: Information Security Officer
Date Adopted: 06/05/2024
Last Revision: 06/05/2024
Last Review: 06/05/2024

I. PURPOSE

The purpose of this policy is to ensure that Information Technology (IT) resources are inventoried and configured in compliance with IT policies, standards, and procedures.

II. ACCOUNTABILITY

Under the direction of the President, the Chief Information Officer and Information Security Officer shall ensure compliance with this policy. The Vice Presidents, Deans, and other members of management will implement this policy in their respective areas.

III. APPLICABILITY

This policy applies to all Rowan enterprise IT systems and those systems deemed operationally critical to the mission of the University.

IV. DEFINITIONS

Refer to Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.

V. POLICY

Information system owners must ensure that the configurations of all applicable systems are set up and managed in accordance with the following guiding principles:

  1. Baseline Configuration
    1. In order to achieve baseline configuration, system owners shall:
      1. Develop, document, and maintain under configuration control, a current baseline configuration of information systems, within the University’s configuration management database (CMDB), where appropriate
      2. Review and update the baseline configuration of the information system on an annual basis or when significant changes to the information system occur, such as  installations or upgrades.
      3. Retain one previous version of baseline configurations of information systems to support rollback.
  2. Configuration Change Control
    1. In accordance with the Change Management Policy, system owners shall:
      1. Determine the types of changes to the information system that are configuration-controlled.
      2. Review proposed configuration-controlled changes to the information system and approve or disapprove such changes with explicit consideration for impact analyses.
      3. Document configuration change-decisions associated with the information system.
      4. Implement approved configuration-controlled changes to the information system.
      5. Retain records of configuration-controlled changes to the information system.
      6. Coordinate and provide oversight for configuration change control activities.
      7. Test and validate changes to the information system before implementing the changes on the operational system, where feasible.
  3. Security Impact Analysis
    1. In accordance with the Change Management Policy, ISO shall:
      1. Analyze changes to the information system to determine potential security impacts prior to change implementation.
      2. Provide requirements to configuration changes in order to follow industry best practices, Rowan University standards, etc.
  4. Configuration Settings
    1. For the set of parameters that can be changed in hardware, software, and/or firmware that affect the security posture and/or functionality of the information system, System Owners or their designee shall:
      1. Establish, document, and implement configuration settings for the information system that reflect the most restrictive mode consistent with operational requirements.
      2. Identify, document, approve, and submit to change control  any deviations from established configuration settings based on operational requirements.
      3. Work with the system owner to update the baseline configuration as appropriate.
  5. Least Functionality
    1. In accordance with the principle of least functionality, system owners or their designees shall:
      1. Configure the information system to provide only operationally necessary capabilities.
      2. Prohibit or restrict the use of ports, protocols, software, and services that are not required for meeting the business function of the information system.
      3. As technically and operationally feasible, limit component functionality to a single function per device (e.g. database server, web server, etc.).
  6. Information System Component Inventory
    1. In order to provide a comprehensive view of the components that need to be managed and secured, System Owner or their designee:
      1. Inventory and track all information system components in accordance with IRT standards, policies and procedures.
      2. Review and update the information system component inventory annually.
      3. As technically and operationally feasible, employ mechanisms to help maintain current inventories of information assets.
      4. Prevent duplicate accounting of system components using a centralized inventory management system.
  7. Roles and Responsibilities
    1. The Information Security Office will work with information system owners to document configuration standards and baselines.
    2. ISO and system owners will document any deviations from industry standards and requirements that cannot be implemented due to business or other environmental considerations.
    3. ISO will audit configuration baselines on a regular basis to ensure they are still within acceptable industry standards and Rowan requirements.
    4. System owners will implement these standards, settings and baseline configurations across all information systems.

VI. POLICY COMPLIANCE

Violations of this policy may subject the violator to the removal of system access or disciplinary actions, up to or including termination of employment or dismissal from a school, subject to applicable collective bargaining agreements and may subject the violator to penalties stipulated in applicable state and federal statutes. Sanctions shall be applied consistently to all violators regardless of job titles or level in the organization per the Acceptable Use Policy.  Any exceptions to this policy must be approved by the Information Security Office.


By Direction of the CIO:

Mira Lalovic-Hand,
SVP and Chief Information Officer  

                                                                                          



  • No labels