Skip to Content

Information Security Office

Network is experiencing difficulties.

Policy Index
Configuration Management
Configuration Management Standard
Number: 8050.0 Revised: August 15, 2010

All campus information technology devices and applications must be configured in a manner that ensures compliance with all campus information security policies and practices. The Information Security Officer shall review and approve all device and application security configurations and settings prior to deployment. Whenever possible, the configuration of newly purchased devices and applications should be reviewed and approved by the ISO prior to procurement.

The most common configuration issues arise with device ‘images’ that configure operating systems, hardware settings and application settings.  The Information Security Officer will define a base image for all devices that meets most campus user needs and also meets all security requirements.  When building device images, strong consideration should be given to configurations that provide security, while not interfering with business requirements.  Whenever possible, this base image should allow for further additions that meet local service needs (e.g. addition software applications, locally used specialty devices, etc). Under no circumstances shall such local additions compromise or change the base security configuration of the devices. The Information Security Office will maintain a list commonly used benchmark device images; preference will be given to use of these benchmark images prior to consideration of alternatives. Standard campus images already vetted with the Information Security Office must be considered before developing a new “known-good” image.  All other build images must be submitted and approved by the Information Security Office prior to deployment.  The review will both that verify the image/process has the appropriate secure configurations and also create a “white list” of known ‘good’ builds for further campus use. The Center for Internet Security (www.cisecurity.org) benchmarks should be reviewed and considered when creating a new non-standard “known-good” image or documented build process.  Exceptions to these standards requires written approval by the ISO through the Risk Management Process.

When considering the security of configuration controls on devices and applications the following specific requirements must be met; exceptions require written approval of the ISO through the Risk Management Process:

  1. General  Device/Applications

    1. Manage, maintain and perform other activities that require elevated permissions with an SLS account when administering the device/application.

    2. Add to domain with authorized area prefix maintained by the Identity Management Group.

  2. Servers

    1. Install, configure and enable campus server monitoring.

    2. Configure systems to allow campus Vulnerability processes to scan them.

  3. Desktops

    1. Configured to include the standard campus management client (KBOX) for on-going monitoring.

    2. Configured to include the standard campus malware protection

    3. Operation of the management client and malware protection may not be disabled or impeded.

    4. End user may not have administrate rights unless business requirements (i.e. business required software only works under administrative rights.)

  4. Laptops

    1. Configured to include the standard campus management client (KBOX) for on-going monitoring.

    2. Configured to include the standard campus malware protection

    3. Operation of the management client and malware protection may not be disabled or impeded.

    4. End user may have administrative rights

  5. Labstations

    1. Configured to include the standard campus management client (KBOX) for on-going monitoring.

    2. Configured to include the standard campus malware protection

    3. Operation of the management client and malware protection may not be disabled or impeded.

    4. End user may have administrative rights if using DeepFreeze or other approved process to return systems back to “known-good” state is implemented.

    5. Prohibit disabling mandatory protection.

Back to to Sacramento State Information Security Policy Website

Feedback/Questions/Comments