Issue/Question
What is the USD security policy for Secure Configuration of Enterprise Assets and Software
Environment
Cause
Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity
Resolution
Secure Configuration of Enterprise Assets and Software
Policy Statement: The University acknowledges the critical importance of securely configuring enterprise assets and software to minimize security risks and maintain a strong defense against cyber threats. This policy establishes guidelines for implementing secure configuration practices to enhance the security posture of the University's IT environment.
Policy Implementation:
-
Baseline Configuration Standards:
- The University will establish baseline configuration standards for all enterprise assets, including hardware devices, operating systems, network equipment, and software applications.
- Baseline configurations will be developed based on industry best practices, vendor recommendations, and security benchmarks such as CIS Benchmarks.
-
Configuration Management Processes:
- Configuration management processes will be implemented to ensure that enterprise assets are configured securely and consistently throughout their lifecycle.
- Configuration changes will be managed through formal change management procedures, including documentation, review, approval, and testing.
-
Hardening Guidelines:
- Hardening guidelines will be applied to secure the configuration of operating systems, network devices, and software applications by removing unnecessary features, disabling default accounts, and enabling security controls.
- Hardening standards will be periodically reviewed and updated to address emerging threats and vulnerabilities.
-
Vulnerability Management Integration:
- Secure configuration practices will be integrated with vulnerability management processes to address identified vulnerabilities and security weaknesses.
- Vulnerability scanning tools will be used to assess the compliance of enterprise assets with secure configuration standards and identify deviations that require remediation.
-
Automated Configuration Management Tools:
- The University will leverage automated configuration management tools and solutions to streamline the implementation and enforcement of secure configuration standards.
- Automated tools will facilitate the deployment of standardized configurations, monitor for deviations, and remediate non-compliant configurations efficiently.
Compliance and Enforcement: All members of the University community are responsible for adhering to this policy and actively participating in secure configuration management activities.
Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of secure configuration practices.
This policy provides a framework for implementing CIS Control 4 within a university environment, focusing on secure configuration practices to minimize security risks and maintain the integrity and confidentiality of University assets and data.
Please contact the Service Desk if you need further assistance