Description

The purpose of the Texas A&M University configuration management procedures is to: • Describe the requirements for configuring a new platform (e.g., server) in a secure fashion • Maintain the appropriate security of the platform and application software, and • Provide guidance for applying and maintaining appropriate security measures for all platforms that process essential, controlled, or confidential information.
Draft Guidance

ADDED

  • Section 1.1 is added to establish timeframe for critical security patches
  • Section 1.2 is added to establish timeframe for high priority security patches
  • Section 1.3 establishes establishes timeframe for installing all other security patches.

REMOVED

  • Original Section 4 dealing with audit logging is deleted as this is covered in Control AU-2
  • Original Section 5 dealing with user privileges is deleted as this is covered in Control AC-6
  • Original Section 7 dealing with vulnerability scanning is deleted as this is covered in Control RA-5
  • Original Section 8 dealing with platform configuration is deleted as this is covered in Control CM-2

MODIFIED

  • Section 1 is revised to clarify that Control is focused on security patches.

Applicability

  • The intended audience includes, but is not limited to, custodians and/or owners of an information resource.

Implementation

  • 1

    Custodians of information resources shall ensure that vendor supplied security patches are routinely acquired, systematically tested prior to implementation where practical, and installed promptly.

    • 1.1

      Security patches categorized as "critical" by the vendor must be installed within 30 days of release.

    • 1.2

      Security patches categorized as "high" by the vendor must be installed within 45 days of release.

    • 1.3

      Other security patches must be installed within 60 days of release.

  • 2

    Custodians of information resources shall remove unnecessary software, system services, and drivers.

  • 3

    Custodians of information resources shall enable recommended security features included in vendor-supplied systems including, but not limited to, firewalls, virus scanning and malicious code protections, and other file protections.

  • 4

    Custodians of information resources shall disable or change the password of default accounts before placing the resource on the network.