Content

Systems Management and Configuration Strategy

Purpose

LightForce Information Services has developed and implemented the Systems Management and Configuration Strategy to maintain secure computer systems and networks.

Scope

The Systems Management and Configuration applies to all information technology assets, systems, networks, and data hosts that are owned or managed by LightForce.

Policy

To support and be compliant with LightForce standards and policies, each system administrator and system owner must follow the principles and procedures connected with this policy.

The goal of the strategy is to ensure that all LightForce technology systems adhere to a baseline configuration and have a consistent minimum security standard in place to prevent external threats, vulnerability exploitation, unauthorized data releases, and performance issues and faults.

Any hardware asset used to collect, transmit, process, store, or host LightForce data must be inventoried and maintained to prevent illegal access, dissemination, or misuse. The larger the asset’s value to LightForce, or the more vulnerable it is to risk or exploit, the higher the level of security necessary for its administration.

All servers and end-user workstations that gather, transmit, process, store, or host LightForce data must be formatted and configured with the appropriate permitted protocols, controls, and settings to protect LightForce systems and data.

Failure to safeguard lightForce information systems, hardware, and networks from threats and inadequate configurations can lead to data integrity loss, data unavailability, and/or illegal use of data or information systems owned by LightForce departments.

Configuration Management

Establish System Configuration

  • Hardware
  • Software
  • Firmware
  • Documentation

Establish Security Configuration

This requirement establishes and maintains baseline configurations for systems and system components including for system communications and connectivity. Baseline configurations include information about:

  • System components
  • Network topology
  • Logical placement within the system architecture

Change Control

Configuration change controls for organizational systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including:

  • Changes to System Configurations
  • Changes to Security Configurations
  • Unscheduled and unauthorized changes
  • Changes to remediate vulnerabilities.

Analyze Change Impact

Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications, including: Reviewing security plans to understand security requirements and reviewing system design documentation to understand the implementation of safeguards How specific changes might affect the safeguards.

Access Restrictions

Any changes to a system’s hardware, software, or firmware components could have a substantial impact on the system’s overall security. Only qualified and authorized persons are allowed access to LightForce systems in order to make changes, such as updates and alterations.