CM - Configuration Management

STATEWIDE INFORMATION SECURITY POLICY

Document ID: Effective Date Revision Date: Version #:

CISP-005 2/11/2015 2/01/2017 2.0

THIS POLICY APPLIES TO: x

OIT (ITSP for Consolidated Agencies)

x

Agency (Business Owner)

x

Non-Consolidated Agencies

x

Vendor IT Service Provider (ITSP)

1)

Title: Configuration Management

2)

Purpose This policy follows the NIST SP 800-53 Rev.4 framework. The purpose of this policy is to help alleviate security risks brought on by agency personnel. It ensures agency personnel fulfill the screening criteria set up each agency and also ensures third-party personnel follow the same security criteria. This policy should be viewed as a set of minimum security requirements that must be adhered to establish a consistent baseline of security. Depending on the needs of the agency Business Owner, the type and categorization of the data being processed, stored, or transmitted by the system, federal or state statutory requirements, or any other items of concern or requirement, there may (and likely will) be more stringent security control requirements. Any additional security requirements will be identified in any supporting system documentation including system security plans, contracts, statements of work, or service level agreements, and will supersede the minimum requirements of this policy. This policy is issued pursuant to the State of Colorado Information Security Policies created to support the State of Colorado Chief Information Security Officer (CISO) in achieving the requirements of the Colorado Information Security Act (C.R.S. 24-37.5-401 et seq.). For the Consolidated Agencies, the Governor’s Office of Information Technology (OIT) maintains an Information Security Program to control risks associated with access, use, storage, and sharing of sensitive citizen and state information. OIT documents the program details in the Enterprise Cyber Security Plan (ECSP), and sets forth security policy for the Consolidated Agencies in the OIT Information Security Policies. Non-Consolidated Agencies shall maintain an Agency Cyber Security Plan (ACSP), and implement the Colorado Information Security Policies (CISP) for the same purpose.

3)

Policy This policy is to ensure state computing assets adhere to secure configuration management practices. It requires that changes to system configuration are managed

State of Colorado | Governor’s Office of Information Technology

Page 1 of 8

CM - Configuration Management

STATEWIDE INFORMATION SECURITY POLICY

Document ID: Effective Date Revision Date: Version #:

CISP-005 2/11/2015 2/01/2017 2.0

through a formal and organizationally adhered to change control process so the changes are reviewed, tested, validated and documented before changes are implemented, and that the Business Owner or organization establishes software usage restrictions including license tracking and establishes a process for users to request non-standard software 4)

Organizations Affected This policy applies to any and every public agency ("Agency") as defined in C.R.S. 24-37.5-402(9). This policy also applies to any entity providing information technology (IT) as defined in C.R.S 24-37.5-102(2) or any IT related products, goods, equipment, hardware, supplies, software, services, or any other IT related resource to any Agency. Notwithstanding anything to the contrary, the Chief Information Security Officer (CISO), as set forth in C.R.S. 24-37.5-403(1) shall, in the CISO's sole discretion, determine the application of this policy to any Entity or Agency.

5)

Scope This policy covers information technology systems with a data security categorization of “low” or “moderate”. Examples of data with a security categorization of “low” include most data elements in state personnel records, building code violations, Personally Identifiable Information (PII) and firearm permits data. Examples of data with a security categorization of “moderate” include Federal Tax Information (FTI), Health Insurance Portability and Accountability Act (HIPAA) and Social Security Administration (SSA). Criminal Justice Information System (CJIS) data has a security categorization of “high” and must comply with the CJIS Security Policy. Further guidance on data and information system security categorization levels is located in the Data Security Categorization Standard posted in the same location as the Colorado Information Security Policies (oit.state.co.us/ois/policies).

6)

References a) C.R.S. 24-37.5-401, 403, 404, 404.5, 405, and 406 b) Senate Bill 08-155 as codified in C.R.S. 24-37.5-101 et seq. c) Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems Federal Information Processing Standard (FIPS) 200, “Minimum Security Requirements for Federal Information and Information Systems d) National Institute of Standards and Technology (NIST) Special Publication (SP)

State of Colorado | Governor’s Office of Information Technology

Page 2 of 8

CM - Configuration Management

STATEWIDE INFORMATION SECURITY POLICY

e)

Document ID: Effective Date Revision Date: Version #:

CISP-005 2/11/2015 2/01/2017 2.0

800-53,rev. 4, “Recommended Security Controls for Federal Information Systems” Agency Cyber Security Plan (ACSP) defined in CISP-017 SP-Security Planning Policy

7)

Definitions a) Agency or Agencies:​ Refers to agencies as defined in C.R.S. 24-37.5-402(9). b) Business Owner:​ The Agency or entity that owns the data, has the authority to authorize or deny access to the data, and is responsible for the accuracy, integrity, and timeliness of the data. c) CISO: ​Chief Information Security Officer. Unless otherwise referenced, CISO refers to the State CISO as defined in C.R.S. 24-37.5-404(4). d) Consolidated Agencies:​ Refers to those state agencies whose IT functions were consolidated under OIT pursuant to SB 08-155 and defined in C.R.S. 4-37.5-102(4). e) Information System: ​A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. f) Information Technology (IT):​ Any related products, goods, equipment, hardware, supplies, software, services, or any other IT related resource as defined in C.R.S. 24-34.5-102(2). g) Information Technology Service:​ Any personal or professional service related to IT. h) Information Technology Service Provider (ITSP):​ A Service Provider that provides information technology services to any Agency. The ITSP may be an internal department or third-party vendor. OIT is an ITSP to the Consolidated Agencies. i) Non-Consolidated Agencies: ​Refers to those state agencies whose IT functions were not consolidated under OIT, however, the CISO provides guidance to all public agencies as defined in the “Organizations Affected” section of this policy. j) Security Category:​ The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, and the state. See TS-Data Cat-001: Data Security Categorization Technical Standard which is posted in the same location as the Colorado Information Security policies (​http://oit.state.co.us/ois/policies​).

8)

Responsibilities 8.1 State Chief Information Security Officer (CISO) 8.1.1. Establish and maintain the Colorado Information Security Program (Secure Colorado), which provides guidance to public agencies.

State of Colorado | Governor’s Office of Information Technology

Page 3 of 8

CM - Configuration Management

STATEWIDE INFORMATION SECURITY POLICY

Document ID: Effective Date Revision Date: Version #:

CISP-005 2/11/2015 2/01/2017 2.0

8.1.2. Promulgates statewide information security policies (Colorado Information Security Policies) and procedures to protect State of Colorado’s information systems and related resources. 8.1.3. Ensures successful implementation of the Colorado Information Security Policies. 8.2 IT Service Provider 8.2.1. Ensures maintenance requirements are documented for their respective areas of responsibility. 8.2.2. Ensures lists of approved maintenance personnel are up to date. 8.2.3. Monitors and escorts maintenance personnel as required. 8.2.4. Defines how the application functions based on the Business Owner’s requirements. 8.2.5. Works with Agency to approve physical and logical access to systems and applications. 8.2.6. Provides for the administration of information systems, networks, and any interconnected technology. 8.2.7. Performs system design and implementation of IT systems. 8.2.8. Performs user support for interconnected IT systems including hardware, software, mobile devices, print, or any number of IT devices. 8.3 Business Owner 8.3.1. Defines the expected business outcomes that are supported by the application or system. 8.3.2. Identifies the criticality of selected system or application functions and the expected service level goals for system or application operations and support. 8.3.3. Identifies the priority of IT support and project requests that impact the system or application. 8.3.4. Represents the system or application in business strategy discussions and ensure there is a short-term and long-term strategy for the application or system. 8.3.5. Describes and clarifies required business processes and terminology to help the ITSP understand the requirements of the system or application. 8.3.6. Reviews and approves the proposed functional recommendations from ITSP development teams. 8.3.7. Ensures the ITSP is providing the appropriate level of status and explanation. 8.3.8. Controls and prioritizes all of the business requests that are submitted to the ITSP. State of Colorado | Governor’s Office of Information Technology

Page 4 of 8

CM - Configuration Management

STATEWIDE INFORMATION SECURITY POLICY

Document ID: Effective Date Revision Date: Version #:

CISP-005 2/11/2015 2/01/2017 2.0

8.3.9. Works with ITSP to approve physical and logical access to systems and applications. 9)

Requirements 9.1 Baseline Configuration (Low/Moderate) 9.1.1. ITSP shall develop, document and maintain a current baseline configuration of Information Systems and system components (e.g., software packages, version numbers, and patch information). 9.1.2. ITSP shall review and update the baseline configuration of the Information System annually or when changes occur that may have potential impact to security controls such as when system components are installed, changed, modified, or upgraded. 9.1.3. ITSP shall retain a previous version(s) of the baseline configurations to support rollback. 9.1.4. ITSP shall ensure all devices connect to a managed organizational network at regular intervals to receive configuration changes, anti-virus updates, and security patch updates. 9.2. Configuration Change Control (Low/Moderate) 9.2.1. ITSP shall determine and document the types of changes to the Information System. 9.2.2. ITSP shall have and use a formal change control body to review, approve, and track all changes to Information Systems. 9.2.3. ITSP shall test and validate any changes to the Information System before implementing the changes on the system and must document a rollback plan should the changes be found to have a negative system or security impact. 9.2.4. ITSP shall document configuration change decisions associated with the Information Systems. 9.2.5. ITSP shall retain records of changes to the Information System for one (1) year or as required by applicable state and federal laws, executive orders, directives, policies, regulations, standards, and guidance. 9.2.6. ITSP shall audit and review activities associated with changes to the Information Systems at regular intervals. 9.2.7. ITSP shall coordinate and provide oversight for configuration change control activities through a change control committee, board, or other authorizing entity for the organization. 9.3 Security Impact Analysis (Low/Moderate)

State of Colorado | Governor’s Office of Information Technology

Page 5 of 8

CM - Configuration Management

STATEWIDE INFORMATION SECURITY POLICY

Document ID: Effective Date Revision Date: Version #:

CISP-005 2/11/2015 2/01/2017 2.0

9.3.1. ITSP shall analyze changes to the Information System to determine potential security impacts or associated security ramifications (e.g., to security plan or risk assessment) prior to change implementation. 9.4 Access Restrictions for Change (Low/Moderate) 9.4.1. ITSP shall ensure only authorized personnel are able to implement approved configuration changes. 9.5 Configuration Settings (Low/Moderate) 9.5.1. ITSP shall establish and document secure configuration settings for information technology products (e.g., mainframe computer, servers, workstations, and other network components) employed within the Information System using an industry accepted standard security hardening methodology. 9.5.2. ITSP shall identify, document, and approve any deviations from established secure configuration settings. 9.5.3. ITSP shall monitor and control changes to the secure configuration settings in accordance with organizational processes and procedures. 9.6 Least Functionality (Low/Moderate) 9.6.1. ITSP shall configure the Information System to provide only the essential capabilities to meet the requirements and purpose of the system. 9.6.2. ITSP shall harden systems to include prohibiting, disabling, or restricting the use of unused or unnecessary physical and logical functions, ports, protocols and/or services. 9.6.3. ITSP shall periodically review the Information System to identify unnecessary and/or insecure functions, ports, protocols, or services and disable those deemed to be insecure. 9.6.4. ITSP shall ensure the Information System allows only authorized software program execution where technically feasible. 9.6.5. ITSP shall review and update the list of authorized software that can be installed and executed on the Information System as required by applicable state and federal laws, executive orders, directives, policies, regulations, standards, and guidance. 9.7 Information System Component Inventory (Low/Moderate) 9.7.1. ITSP shall develop and document an inventory of Information System components that accurately reflects the current Information System. 9.7.2. ITSP shall scan the network to detect changes to, and review and update, the asset inventory on a regular basis. Automated tools which provide continuous scanning abilities are preferable to a manual scan review; State of Colorado | Governor’s Office of Information Technology

Page 6 of 8

CM - Configuration Management

STATEWIDE INFORMATION SECURITY POLICY

Document ID: Effective Date Revision Date: Version #:

CISP-005 2/11/2015 2/01/2017 2.0

however, if the inventory scan to detect changes is manual, it must be reviewed quarterly. 9.7.3. ITSP shall ensure unauthorized devices are removed from the network if discovered. 9.8 Configuration Management Plan (Low/Moderate) 9.8.1. ITSP shall ensure a configuration management plan is developed, documented, and implemented for the Information System that: ● Addresses roles, responsibilities, and configuration management processes and procedures; ● Establishes a process for identifying configuration items (i.e., hardware, software, firmware, and documentation) throughout the system life cycle and for managing the configuration of the system; ● Defines the configuration items for the Information System and places the configuration items within the configuration management plan; ● Protects the configuration management plan from unauthorized disclosure, dissemination, and modification; and ● Describes how to move changes through the change management processes, update configuration settings and baselines, maintain Information System component inventories, control development, test, and operational environments, and develop, release, and update key system documentation. 9.9 Software Usage Restrictions (Low/Moderate) 9.9.1. ITSP shall use software and associated documentation in accordance with contract agreements and applicable copyright laws. 9.9.2. ITSP shall track the use of software and associated documentation protected by quantity licenses to control copying and distribution. 9.9.3. ITSP shall control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for unauthorized distribution, display, performance, or reproduction of copyrighted work. 9.10 User Installed Software (Low/Moderate) 9.10.1. ITSP shall establish written processes and procedures that govern the installation of software by end users of computing systems. 9.10.2. ITSP shall enforce software installation policies through procedural, periodic examination, and/or automated methods. Automated inventory tools which provide continuous scanning abilities are preferred; however, if user software tracking is performed manually, it must be reviewed quarterly. 10)

Compliance

State of Colorado | Governor’s Office of Information Technology

Page 7 of 8

CM - Configuration Management

STATEWIDE INFORMATION SECURITY POLICY

Document ID: Effective Date Revision Date: Version #:

CISP-005 2/11/2015 2/01/2017 2.0

Failure to comply may result in the Chief Information Security Officer temporarily discontinuing or suspending the operation of the solution and/or resource until such compliance is established as deemed solely by the Chief Information Security Officer. 11)

Expiration This policy remains in effect until superseded or rescinded by the State Chief Information Security Officer.

12)

Review History REVIEW DATE

REVIEWED BY

NEXT REVIEW DATE

8/17/2016

CISO and Office of Information Security

2/01/2018

Supplemental Guidance - ​CISP-005 Supplemental Guidance - CM Configuration Management

State of Colorado | Governor’s Office of Information Technology

Page 8 of 8