Security Configuration Management

In compliance with HOP 5.8.8, U.T. System Policy 165, and Texas Administration Code 202 (TAC202), hardware and software platforms must be configured in a secure manner to ensure the confidentiality, integrity and availability of University resources.  The Office of Information Security has adopted the Center for Internet Security (CIS) Benchmarks as prescriptive guidance for implementing “hardened” security configurations in a format that aligns with U.T. System and TAC Control Standards and the National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53).

https://www.cisecurity.org/cis-benchmarks/

Implementation

1. Information Resource Custodians (Custodians) shall ensure that vendor supplied patches are routinely acquired, systematically tested prior to implementation where practical, and installed promptly based on risk management decisions.
2. Information Resource Custodians shall enable configurations that minimally comply with associated Information Technology and Information Security HOP statements.  These include, but are not limited to, HOP 5.8.4 (Access Management) and 5.8.8 (Information Resource Security Configuration Management).
3. Each type of platform or device may have its own particular baseline security configuration and maintenance protocols.  While the CIS hardened security benchmarks should be used for configuration guidance, Information Resource Custodians shall seek and implement recommended configurations (such as security checklists designated by the manufacturer for a specific use case) for securing the particular system platform(s) under their control.   

Monitoring

The Chief Information Security Officer shall regularly monitor system configuration compliance with minimally acceptable configuration policies and validate configuration gaps with CIS Benchmarks.  Reports of system compliance with these standards will be periodically distributed to Information Resource Owners and Custodians as guidance in assessing and mitigating risk of platform(s) under their control. 

Information Security may disable or de-activate a system or a service or application running on the system if its configuration is deemed a significant and immediate risk to the University network or other information resources.