Statement

West Texas A&M University must establish, document, implement and monitor mandatory configuration settings for information technology products employed within the information system and indicate the most restrictive mode consistent with operational requirements.  Exceptions to the mandatory configuration settings within the information asset must be identified, documented, and approved prior to ongoing use.

Applicability

This control applies to all West Texas A&M network information resources. The intended audience for this control includes all information resource owners and custodians.

Implementation

The information resource owner, or designee, shall:

• Establish mandatory configuration settings for components employed within the information resource.
• Configure security settings of information resource components to the most restrictive mode consistent with operational requirements
• Document the configuration settings
• Enforce the configuration settings in all components of the information resource
• Any deviations from the established settings shall be approved and documented by the security office.
• Configuration changes shall follow University change management policies and procedures.