Baseline Configuration: A
set of specifications for a system, or a configuration item (CI) within a
system, that has been formally reviewed and agreed on at a given point in time,
and which can be changed only through change control procedures. The baseline configuration is used as a basis
for future builds, releases, and/or changes.
Access: The ability to interact with data through access control
procedures, such as identification, authentication and authorization.
Physical Access: The ability to physically touch and interact with computers or network
This policy aligns with the NIST 800-53 Configuration
Management (CM) Control Family.
- Develop, document and
maintain a current enterprise-level baseline configuration of each
platform (operating systems, databases, middleware, enterprise
applications, etc.) within its environment.
- Review and update the
baselines annually and as needed due to system upgrades, patches or other
- Retain a number of
previous configurations to support rollback, as determined by the
appropriate office level procedure.
- Establish a minimum
baseline configuration for information systems or components with elevated
security controls when a device is used to access information systems in
locations that the agency deems to be of significant risk; and apply
predefined security safeguards to the device prior to it being joined to
Each Agency must develop,
document and maintain agency-specific application baseline configurations.
Configuration Change Control
- Determine the types of
changes to an information system that is configuration-controlled.
- Review proposed
configuration changes, and approve or disapprove with explicit
consideration for security impact analysis and document change decisions.
- Test, validate, and
document planned changes prior to implementation of approved changes.
- Retain records of
changes for the life of the system, and retain audit and review activities
associated with changes.
- Coordinate and provide
oversight for change control activities through the Change Advisory Board
Security Impact Analysis
Each Agency must analyze planned
changes to an information system to determine potential security impacts prior
to change implementation.
Access Restrictions for
COT must define, document,
approve, and enforce physical and logical access restrictions associated with
changes to an information system.
COT and each Agency must:
- Establish, document and
implement configuration settings for information technology products
employed within the information system, that reflect the most restrictive
mode consistent with operational requirements.
- Identify, document, and
approve any deviations from established configuration settings.
- Monitor and control
changes to configuration settings in accordance with office-level policies
COT must configure information systems to provide only essential
capabilities with respect to their relative security. Specifically:
a periodic basis, review the use of functions, ports, protocols, and services. Identify and disable or eliminate those deemed
unnecessary, unused or detrimental to the system or business.
an allow-all, deny-by-exception policy to prohibit unauthorized software
Identify and document
software programs that are prohibited or restricted from execution on the
information system. Periodically review
and/or update the list.
Information System Component Inventory
COT and each Agency must:
- Develop and document an
inventory of information system components that:
- Accurately reflects the
current systems for which COT and the Agency is responsible
- Includes all components
within the authorization boundary of the system
- Includes information
necessary to achieve effective infrastructure component accountability
- Is at the level of granularity deemed necessary
for tracking and reporting.
and update the component inventory as an integral part
of installation, removal, and updates.
- Employ automated
mechanisms to detect the presence of unauthorized hardware, software, and
firmware. Take action when unauthorized components are detected, such as
disabling network access for such components, isolating the components, or
notifying authorized points of contact.
- Verify that all
components within the authorized boundary are not duplicated in other
Configuration Management Plan
COT and each Agency must develop, document, and implement a
Configuration Management Plan for information systems that:
configuration management roles, responsibilities, processes and procedures.
a process for identifying configuration items throughout the system development
life cycle (SDLC), and ensures they align with established processes and
the Configuration Management Plan from unauthorized disclosure and
Software Usage Restrictions
COT and each Agency must:
software (and associated documentation) in accordance with contractual
agreements and copyright laws; and track the use of software protected for
prohibit the use of peer-to-peer file sharing technology.
monitor and enforce guidelines, policies and compliance governing the
installation of software by end users.
restrictions on the use of open source software (OSS). Open source
software must be approved by the Information Technology Standards Committee
(ITSC), listed in the Kentucky Information Technology Standards (KITS), and adhere
to a secure configuration baseline.
Authority: KRS 42.726 authorizes the Commonwealth
Office of Technology (COT) to develop policies and compliance processes to
support and promote the effective applications of information technology within
the executive branch of state government.
All executive branch agencies and non-executive branch
agencies using COT-managed infrastructure or services must adhere to this
policy. This includes employees, contractors, consultants, temporaries,
volunteers, and other workers within state government.
for Compliance: Each
agency must ensure that staff within their organizational authority are made
aware of and comply with this policy. The agency is responsible for enforcing
it. Unauthorized and/or neglectful actions regarding this policy may
result in disciplinary action up to and including dismissal. COT may
require additional service charges for remediation efforts due to
non-compliance with this policy.
Maintenance: COT’s Office of IT
Architecture & Governance
and the Office of the Chief Information Security Officer share responsibility
for maintaining this policy. Organizations may modify this policy
to fulfill their responsibilities, but must obtain approval through an
exception request. Staff should refer to
their internal policy, which may have additional information or clarification.
Review Cycle: COT’s Office of IT
Architecture & Governance and the
Office of the Chief Information Security Officer
will review this policy at least every two years.