Body
Issue/Question
What is the USD security policy for Secure Configuration of Enterprise Assets and Software
Environment
Cause
Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity
Resolution
Secure Configuration of Enterprise Assets and Software
Policy Statement: The University acknowledges the critical importance of securely configuring enterprise assets and software to minimize security risks and maintain a strong defense against cyber threats. This policy establishes guidelines for implementing secure configuration practices to enhance the security posture of the University's IT environment.
Policy Implementation:
-
Baseline Configuration Standards:
- The University will establish baseline configuration standards for all enterprise assets, including hardware devices, operating systems, network equipment, and software applications.
- Baseline configurations will be developed based on industry best practices, vendor recommendations, and security benchmarks such as CIS Benchmarks.
- End-user mobile devices should be segmented from enterprise workspaces.
-
Configuration Management Processes:
- Configuration management processes will be implemented to ensure that enterprise assets are configured securely and consistently throughout their lifecycle.
- Configuration changes will be managed through formal change management procedures, including documentation, review, approval, and testing.
-
Hardening Guidelines:
- Hardening guidelines will be applied to secure the configuration of operating systems, network devices, and software applications by removing unnecessary features, disabling default accounts, and enabling security controls.
- Hardening standards will be periodically reviewed and updated to address emerging threats and vulnerabilities.
- Session locking should be in place in addition to software based firewalls on workstations and servers.
- Access to systems and services should be entirely via secure protocols.
- Control and limitation of local and service accounts on all endpoints should be in place.
- DNS layer security should be enabled on all enterprise systems
- Device and authentication lockout should be in place on all systems in addition to MFA
-
Vulnerability Management Integration:
- Secure configuration practices will be integrated with vulnerability management processes to address identified vulnerabilities and security weaknesses.
- Vulnerability scanning tools will be used to assess the compliance of enterprise assets with secure configuration standards and identify deviations that require remediation.
-
Automated Configuration Management Tools:
- The University will leverage automated configuration management tools and solutions to streamline the implementation and enforcement of secure configuration standards including remote isolation and wipe capacities.
- Automated tools will facilitate the deployment of standardized configurations, monitor for deviations, and remediate non-compliant configurations efficiently.
Compliance and Enforcement: All members of the University community are responsible for adhering to this policy and actively participating in secure configuration management activities.
Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of secure configuration practices.
This policy provides a framework for implementing CIS Control 4 within a university environment, focusing on secure configuration practices to minimize security risks and maintain the integrity and confidentiality of University assets and data.
Please contact the Service Desk if you need further assistance