Configuration Management Policy and Procedures (CM-1)

The purpose of the Texas A&M University configuration management procedures is to: 1. Describe the requirements for configuring a new platform (e.g., server) in a secure fashion 2. Maintain the appropriate security of the platform and application software, and 3. Provide guidance for applying and maintaining appropriate security measures for all platforms that process Critical, Confidential or University-Internal data.

Baseline Configuration (CM-2)

The university establishes baseline configuration of information resources to ensure changes to information resources are executed consistently in the production environment.

Configuration Change Control (CM-3)

This Control addresses how changes are controlled, implemented and documented in an orderly manner. A change may include:
  • Any implementation of new functionality;
  • Any interruption of service;
  • Any repair of existing functionality; or
  • Any removal of existing functionality.
Proper application of change management minimizes unwanted reductions in security and provides an accurate record of changes and associated supporting documentation that is useful when planning future changes.

Security Impact Analysis (CM-4)

Changes to the configuration of information systems must be analyzed to determine potential security impacts.

Access Restrictions for Change (CM-5)

This Control addresses how access to information resources is controlled and documented, particularly related to changes to those resources. Changes to information resource configurations should only be completed by authorized staff.

Configuration Settings (CM-6)

The university establishes configuration settings for information resources to ensure they operate as expected.

Least Functionality (CM-7)

The university applies the concept of least functionality when providing access to information resources.

Information System Component Inventory (CM-8)

The university has an inventory of information resource components and a process to keep the information current.

Software Usage Restrictions (CM-10)

The university has procedures and processes to ensure software license agreements are tracked.

User Installed Software (CM-11)

This Control is intended to inform University computer users of the rules for authorized software on Texas A&M University information resources. Authorized software, also called licensed software, is any software acceptable for use within the University system. Software licensed for use at Texas A&M University has end-user license agreements which inform faculty, staff, and students of their responsibilities as end users regarding authorized use of the software. This procedure is intended to inform University computer users of the requirements for authorized software on Texas A&M University information resources. Non-compliance with copyright laws regarding software is subject to significant civil and criminal penalties imposed by federal and state laws. These penalties are applicable to the University and/or an individual. Violation of this Control is subject to University disciplinary action as well.