To provide guidelines necessary to implement System Office and College IT System Hardening standards and procedures.

In accordance with the COV ITRM 501-01, IT system hardening is necessary to protect System Office and College IT systems against vulnerabilities.

The IT System Hardening Standard is applicable to the System Office and all Colleges.

IT system hardening focuses on the technical security controls of IT systems. It does not apply to sensitive or high risk systems only but to all IT systems.

Requirement:

The System Office and Colleges should apply appropriate baseline security configurations to all IT systems. For IT systems that have been identified as high risk or that contain sensitive and confidential data, security configurations should be more restrictive. The web sites listed below may be used to develop appropriate security configurations. All security configurations must be documented and maintained on file.

The VCCS Security Website

http://www.vccs.edu/its/security/index.htm

The Center for Internet Security

http://www.cisecurity.org/sitemap.html

NIST Security Configuration Checklists Repository

http://checklists.nist.gov/repository/category.html

Requirement:

Once security configurations have been applied and documented, they should be reviewed annually or more frequently as applicable. Security configurations should be re-applied when a system is changed (a system upgrade for example).

Requirement:

Vulnerability scanning of IT systems should be completed periodically to ensure security configurations remain in place and are adequate for the sensitivity and risk associated with the IT system. "Periodically" must be defined in the System Office or College security plan but as a minimum must be associated with an annual cycle. Modifications should be made if security configuration effectiveness is insufficient based on the vulnerability scanning. The updated configurations should be documented and maintained on file.