CIO-104 Configuration Management Policy

Office of the Chief Information Officer Enterprise Policy
CIO-104: Configuration Management Policy
Effective Date: 7/20/2018
Policy Statement:  This policy establishes controls related to Configuration Management.  The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.
·         Baseline Configuration:  A set of specifications for a system, or a configuration item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures.  The baseline configuration is used as a basis for future builds, releases, and/or changes.
·         Logical Access:  The ability to interact with data through access control procedures, such as identification, authentication and authorization.
·         Physical Access:  The ability to physically touch and interact with computers or network devices.   

This policy aligns with the NIST 800-53 Configuration Management (CM) Control Family. 

Baseline Configuration
COT must:
  • Develop, document and maintain a current enterprise-level baseline configuration of each platform (operating systems, databases, middleware, enterprise applications, etc.) within its environment.
  • Review and update the baselines annually and as needed due to system upgrades, patches or other significant changes.
  • Retain a number of previous configurations to support rollback, as determined by the appropriate office level procedure.
  • Establish a minimum baseline configuration for information systems or components with elevated security controls when a device is used to access information systems in locations that the agency deems to be of significant risk; and apply predefined security safeguards to the device prior to it being joined to the domain.
Each Agency must develop, document and maintain agency-specific application baseline configurations.  

Configuration Change Control
COT must:
  • Determine the types of changes to an information system that is configuration-controlled.
  • Review proposed configuration changes, and approve or disapprove with explicit consideration for security impact analysis and document change decisions.
  • Test, validate, and document planned changes prior to implementation of approved changes.
  • Retain records of changes for the life of the system, and retain audit and review activities associated with changes.
  • Coordinate and provide oversight for change control activities through the Change Advisory Board (CAB).  
Security Impact Analysis
Each Agency must analyze planned changes to an information system to determine potential security impacts prior to change implementation.  
Access Restrictions for Change
COT must define, document, approve, and enforce physical and logical access restrictions associated with changes to an information system.  

Configuration Settings
COT and each Agency must:
  • Establish, document and implement configuration settings for information technology products employed within the information system, that reflect the most restrictive mode consistent with operational requirements.
  • Identify, document, and approve any deviations from established configuration settings.
  • Monitor and control changes to configuration settings in accordance with office-level policies and procedures.  
Least Functionality
COT must configure information systems to provide only essential capabilities with respect to their relative security.  Specifically:
·         On a periodic basis, review the use of functions, ports, protocols, and services.  Identify and disable or eliminate those deemed unnecessary, unused or detrimental to the system or business.  
·         Employ an allow-all, deny-by-exception policy to prohibit unauthorized software execution.
Identify and document software programs that are prohibited or restricted from execution on the information system.  Periodically review and/or update the list. 
Information System Component Inventory
COT and each Agency must:
  • Develop and document an inventory of information system components that:
-       Accurately reflects the current systems for which COT and the Agency is responsible
-       Includes all components within the authorization boundary of the system
-       Includes information necessary to achieve effective infrastructure component accountability
-       Is at the level of granularity deemed necessary for tracking and reporting.
·         Review and update the component inventory as an integral part of installation, removal, and updates.
  • Employ automated mechanisms to detect the presence of unauthorized hardware, software, and firmware. Take action when unauthorized components are detected, such as disabling network access for such components, isolating the components, or notifying authorized points of contact.
  • Verify that all components within the authorized boundary are not duplicated in other inventories.
Configuration Management Plan
COT and each Agency must develop, document, and implement a Configuration Management Plan for information systems that:
·         Addresses configuration management roles, responsibilities, processes and procedures.
·         Establishes a process for identifying configuration items throughout the system development life cycle (SDLC), and ensures they align with established processes and procedures.
·         Protects the Configuration Management Plan from unauthorized disclosure and modification.
Software Usage Restrictions
COT and each Agency must: 
·         Use software (and associated documentation) in accordance with contractual agreements and copyright laws; and track the use of software protected for quantity licenses.
·         Strictly prohibit the use of peer-to-peer file sharing technology.
·         Establish, monitor and enforce guidelines, policies and compliance governing the installation of software by end users.
·         Establish restrictions on the use of open source software (OSS).  Open source software must be approved by the Information Technology Standards Committee (ITSC), listed in the Kentucky Information Technology Standards (KITS), and adhere to a secure configuration baseline.
Authority: KRS 42.726 authorizes the Commonwealth Office of Technology (COT) to develop policies and compliance processes to support and promote the effective applications of information technology within the executive branch of state government.
Applicability:  All executive branch agencies and non-executive branch agencies using COT-managed infrastructure or services must adhere to this policy.  This includes employees, contractors, consultants, temporaries, volunteers, and other workers within state government.
Responsibility for Compliance:  Each agency must ensure that staff within their organizational authority are made aware of and comply with this policy. The agency is responsible for enforcing it.  Unauthorized and/or neglectful actions regarding this policy may result in disciplinary action up to and including dismissal.  COT may require additional service charges for remediation efforts due to non-compliance with this policy.
Maintenance:  COT’s Office of IT Architecture & Governance and the Office of the Chief Information Security Officer share responsibility for maintaining this policy.  Organizations may modify this policy to fulfill their responsibilities, but must obtain approval through an exception request.  Staff should refer to their internal policy, which may have additional information or clarification.
Review Cycle:  COT’s Office of IT Architecture & Governance and the Office of the Chief Information Security Officer will review this policy at least every two years.  

This page was last modified 8/6/2019 6:15 PM