This is a sample configuration standards document.

Purpose

To protect company data and information systems by ensuring a consistent, secure configuration between resources and maintaining baseline configuration standards.

Scope

This policy applies to all information systems including but not limited to, laptops, desktops, two-in-ones, mobile devices (phones and tablets), cloud services, on-premise servers, printers, network equipment, removable media, storage, and systems that store, process, or transmit company data.

Policy

Information systems that process, transmit, or store company data must be configured in accordance with the applicable standard for that class of device or system. 

Standard software deployments, such as a web server or database, should have a standard configuration including antivirus, malware removal and other security software maintained by the IT department.

Before being deployed into production, a system must be certified to meet the applicable configuration standard in accordance with company standards.

Definitions

Configuration Standard – A document or collection of documents that describe how a device should be configured.

Device Managers – Entity responsible for maintaining or managing a class of information systems.

Responsibilities

Device Managers are responsible for developing and publishing configuration standards for the devices over which they have primary responsibility.

The Security Department is responsible for reviewing and approving the standards in conjunction with the Device Managers.

Exceptions

Any exception to this policy must be approved by the IT department.  Exceptions to applicable standards must be documented and maintained by the team responsible for the standards.

What Are Regulatory Compliance Configuration Standards?

All technology comes with a default configuration and, in many cases, this default configuration may be insecure. This is not a fault of a technology producer, rather it is an attempt to allow the technology to be set up easily, allowing the user to make changes to secure the technology after it is operational.

Common issues include default passwords, out-of-date updates, and superfluous programs and services. All of these can increase the attack surface of the system and, depending on where and how the software is deployed, may put an organization out of compliance with applicable regulations.

Configuration standards describe how each system should be configured before deployment in a secure environment.

The specifics of the configuration requirements can vary based upon the technology’s purpose, type, and where it is deployed within the enterprise. For example, a system deployed inside the protected zone of an organization maintaining PCI DSS compliance may have to be configured in a very different way from a similar system deployed in a less secure segment of the company network without access to the protected data.

Designing, implementing, enforcing, and updating these configuration standards is vital to an organization’s cybersecurity posture and regulatory compliance.

Violations/Enforcement

Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with University procedures.

Regulatory Configuration Standard Requirements

Most data protection regulations, laws, and compliance/security frameworks have requirements for how sensitive data is to be protected. Configuration standards are an important aspect of an organization’s data protection strategy.

PCI DSS Compliance

Requirement 2.2 of the PCI DSS standards states that organizations should “develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.” This means that PCI DSS compliance requires developing and implementing security standards based on cybersecurity best practices.

Read “Making PCI Business as Usual”

HIPAA Compliance

The purpose of the Health Information Portability and Accountability Act (HIPAA) is to protect the personal information of patients collected as part of providing healthcare services. As part of HIPAA compliance, the requirements for technical safeguards of sensitive information are laid out. Part of this includes developing configuration standards to ensure that machines storing, processing, or transmitting protected health information (PHI) are appropriately hardened and secured against attack.

Read “Does HIPAA Apply to Me?”

NIST Compliance

The purpose of NIST (National Institute of Standards and Technology) compliance and security frameworks are to provide guidance on the minimal level of protection needed to protect various levels of sensitive data. These range from commercial data standards like the Cybersecurity Framework (CSF) to Federal and State Government standards like Special Publication 800-171 or 800-53. Additionally, NIST provides supporting standards, like FIPS (Federal Information Processing Standards) that approve certain types of technology such as encryption, that are utilized by other Regulatory Standards such as HIPAA, PCI-DSS, ISO, FERPA, and HITRUST.

Developing Compliant Configuration Standards

Data protection regulations like PCI DSS require that organizations develop and implement configuration standards based upon cybersecurity best practices. However, they acknowledge the fact that organizations are unlikely to have access to world-class experts in all systems that they use to advise them on the specifics of securing each type of system in use in the organization.

Many organizations have developed configuration standards that can be used as a baseline to adopt and build upon to meet the specific requirements of their organization, industry, and regulatory responsibilities. Requirement 2.2 of PCI DSS requires the use of configuration standards that address all known security vulnerabilities and recommends a few sources of sample standards including:

The configuration standards developed and published by these entities are designed to address all known issues at the time of publication. However, they may require updates, additions, or tailoring to an organization’s specific infrastructure and regulatory responsibilities.

The provided standards are a great baseline for regulatory compliance, but, if your organization needs to meet specific requirements, it may be a good idea to call in outside expertise. Sword & Shield has teams of experts in the major regulatory standards (NIST, HIPAA, PCI-DSS, ISO, etc.) and experience in designing, implementing, and maintaining security strategies at the enterprise level.

The University may advise law enforcement agencies when a criminal offense may have been committed