Northeastern University Configuration Management Standard
Related Policy: Northeastern University Information Security Policy, Northeastern University Risk Management Standard
Responsible Office: Office of Information Security (OIS)
Purpose and Scope
Northeastern University is committed to securing its data and providing clear and concise guidance on protecting the many information technology (IT) systems we use. Given the widespread use and diversity of the types of IT systems employed within Northeastern University, it is paramount that a technology-agnostic set of standards are in place and uniformly applied across all IT systems.
This standard establishes the minimum configuration management criteria to carry out and meet the intent of the directives within Northeastern University’s Information Security Policy. This standard applies to all organizations (e.g., academic entities, entities other than Colleges and Departments, legally separate but wholly owned entities) of Northeastern University.
IT systems are considered in the scope of this standard if they utilize any of the following:
Northeastern’s Network, ITS troubleshooting or administration, OIS incident response or investigation, or a Northeastern Microsoft account (e.g., @northeastern.edu).
Configuration Management Overview
This domain focuses on Configuration Management (CM). CM enables the university to establish configuration baselines for Northeastern University assets and ensures configuration and change management procedures are in place to protect Northeastern University environments.
Roles and Responsibilities
The following high-level functional roles support the configuration management processes for IT systems. In some cases, there may be more than one functional role associated with a specific process or task; similarly, more than one person may perform some roles. The following describe the roles and responsibilities associated with configuration management within the Northeastern University environment.
Change Advisory Board (CAB): A group of qualified individuals with responsibility for the process of regulating and approving changes to hardware, firmware, software, and documentation throughout the development and operational life cycle of an information system.
Chief Information Security Officer (CISO): Individual responsible for the overall Northeastern University information security program.
General Users: Individual, or (system) process acting on behalf of an individual, authorized to access an information technology (IT) system for performing a legitimate purpose. This user’s permissions are considered as general with no elevated permissions on the system, application, or appliance they have access to within Northeastern University environment. This user is also authorized to access, process, transmit, and store Northeastern University Data in accordance with defined handling requirements.
System Administrator: An organization or individual responsible for setting up and maintaining an IT system, appliance, or specific IT system elements. This role revolves around hands on management of the IT system, usually more technical in nature than the System Owner. They are also responsible for implementing approved secure baseline configurations, incorporating secure configuration settings for IT products, and conducting/assisting with configuration monitoring activities as needed.
Depending on the size of the IT system, these responsibilities can be split across multiple skill-based domains listed below. These domains can be managed by separate teams across Northeastern University depending on the skills necessary to carry out the listed responsibilities.
- Infrastructure: manages any servers that are not aligned to a specific skill-based domain listed below.
- Network: manages all hardware and IT systems related to managing network communications.
- Security: manages all IT systems that ensure and confirm security of the environment. Sentinel, Defender, Tenable, Azure, Intune, Windows Cloud PC, etc.
- Desktop: manages the physical workstations and the software installed on them.
- Identity: manages IT systems that control identity-based access, like Entra ID.
System Owner: An individual or organization responsible for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an IT system.
Standard
This standard is scoped primarily around a subset of the National Institute of Standards and Technology (NIST) 800-171 controls to protect the confidentiality, integrity, and availability of information. The related NIST controls have been tagged (e.g., 3.4.1) in the text below to identify where each listed responsibility inherits its requirements from.
As the configuration management capability is matured over time, additional controls may be considered to augment confidentiality and address the availability and integrity of Northeastern University data. Additionally, when implementing the criterion of this document, organizations may choose to implement stricter criteria; however, the criterion cannot be lessened without formal exception by the Northeastern University Chief Information Security Officer (CISO) as described in the Compliance section of this standard.
Establish Configuration Baselines
(3.4.1) The System Owner is responsible for creating and maintaining Northeastern University asset inventories to include all operational devices (e.g., laptops, mobile devices, physical servers). Review this inventory for correctness at least twice a year.
The System Owner is responsible for developing secure configuration baselines for system components (e.g., operating systems, firewalls, routers) and their component parts (e.g., hardware, software, firmware). Industry vetted and approved configuration baselines (e.g., Center for Internet Security [CIS] benchmarks, Defense Information Systems Agency [DISA] Security Technical Implementation Guides [STIG])should be leveraged to the greatest extent possible when establishing secure configuration baselines for any Northeastern University IT system.
The System Owner is responsible for documenting the approved configurations of each system component type listed in the organization’s asset inventory and ensuring configuration baselines are updated to capture approved changes to the component’s configuration to address approved changes in functionality or security guidance contained within the baseline.
Additionally, the System Owner is responsible for reviewing approved configuration baselines annually to ensure all approved changes were incorporated into the baseline to confirm the baseline considers current threats and updates to the IT system.
Perform Configuration and Change Management
(3.4.2) The System Administrator is responsible for implementing strict configuration control over managed assets by ensuring only approved configuration baselines are deployed within operational environments processing Northeastern University Data.
The System Owner is responsible for annually reviewing configuration settings of operational systems to confirm the configurations of Northeastern University assets align with approved configuration baselines. The System Owner is responsible for documenting and ensuring proper approval is received for all deviations in security settings and system configurations from the approved configurations.
(3.4.3) Any change to a system’s configuration, environment, information content, functionality, or users deemed to be a significant change is sent to the CAB for approval prior to implementation. The System Owner is responsible for ensuring significant changes are approved by a simple majority of CAB membership.
The System Owner is responsible for establishing and managing change requests to document, at a minimum, the requestor, the system undergoing the change, the current setting, the proposed change, rollback procedures, and the rationale for the requested change. The System Owner is responsible for approving standard changes and ensuring significant changes are reviewed by the CAB. The System Owner is also responsible for documenting the disposition of the request (e.g., approved, denied, deferred) following the CAB’s review and the timeline for implementing approved change requests.
The System Owner is responsible for managing change request tickets to ensure they are tracked and recorded and presenting significant change requests to the CAB. The CAB is responsible for reviewing proposed significant changes for baseline configurations and approving changes if security risks imposed by the change are within acceptable risk tolerance levels established by the Northeastern University Risk Management Standard.
Once approval is granted by the CAB, the System Administrator is responsible for enacting approved change requests and updating change request tickets with the enactor’s name, the date and time of change, and the final disposition of the requested change (e.g., successfully implemented).
(3.4.4) The System Owner is responsible for performing security impact assessments to determine any risks associated with change (i.e., standard and significant) requests in accordance with the Northeastern University Risk Management Standard. Additionally, the System Owner is responsible for documenting the security impact and associated risk of the requested change to the Northeastern University environment and presenting the risks of requested significant changes to the CAB prior to the Board’s review of the requested change.
(3.4.5) The System Owner is responsible for implementing configuration controls to ensure approved changes can only be implemented from approved services or workstations (e.g., privileged access from authorized workstations only, patches deployed from authorized
servers). Additionally, the System Owner is responsible for establishing maintenance windows to define when approved changes can be implemented within the Northeastern University Data environment.
Definitions
The following definitions have been derived from industry standard definitions provided by the National Institute of Standards and Technology (NIST) Computer Security Resource Center Glossary and, where appropriate, tailored for Northeastern University’s IT environment.
Asset: Anything that has value to an organization, including, but not limited to, data, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards).
Configuration and Change Management: A collection of activities focused on establishing and maintaining the integrity of information technology products and information systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.
Configuration Baseline: A documented set of specifications for an information system, or a configuration item within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. For the purposes of this Standard, Configuration Baselines and Benchmarks are synonyms.
Northeastern University Environment: The location, either physical (e.g., building, laboratory, room) or logical (e.g., enclave), within a Northeastern University organization (e.g., academic entities) which process, transmit, or store Northeastern University Data.
Information Technology (IT): Computing and/or communications hardware and/or software components and related resources that can collect, store, process, maintain, share, transmit, or dispose of data. IT components include computers and associated peripheral devices, computer operating systems, utility/support software, and communications hardware and software.
Organization: An entity of any size, complexity, or positioning within an organizational structure (e.g., school, department, lab, operational elements).
Significant Change: Any change to a system’s configuration, environment, information content, functionality, or users which has the potential to change the risk imposed upon the system’s continued operations. Significant changes to a system that may trigger an event-driven authorization action that must be approved by the CAB may include, but are not limited to:
- Installation of a new or upgraded operating system, middleware component, or application;
- Modifications to system ports, protocols, or services;
- Installation of a new or upgraded hardware platform;
- Modifications to how information, including PII, is processed;
- Modifications to cryptographic modules or services;
- Changes to system interconnections;
- Changes in information types processed, stored, or transmitted by the system; or
- Modifications to security and privacy controls.
Standard Change: A repeatable changes that is frequently implemented with a proven history of success and documented procedures for implementing the change. Standard changes do not negatively impact the risk posed of systems enacting the change. Standard changes may include installing patches, or applications previously approved and implemented on alternate servers or workstations.
Compliance
This standard complies with the directives defined in the Northeastern University Information Security Policy. The university recognizes that on rare occasions there might be compelling reasons to consider allowing an organization to operate outside of the criterion defined in this standard, as derived from the Northeastern University Information Security Policy. To facilitate this consideration the System Owner must submit a petition for a risk-based policy exception in writing, including supporting rationale, and forward it to the Northeastern University CISO for review and approval. All approved risk-based policy exceptions must be formally documented by the Northeastern University CISO and indicate the exception duration (e.g., temporary, long-term). The Northeastern University CISO is responsible for disseminating and communicating all risk-based exception approvals and rescissions to the relevant stakeholders in a timely manner.
Change and Review Log
| Date | Description | Version | Editor |
|---|---|---|---|
| 01/21/2025 | Initial draft for Stakeholder Review | 0.1 | Akwasi Appiah |
| 1/24/2025 | Manager review before stakeholder review | 0.2 | Brad Wing |
| 9/3/2025 | Final draft approved by CISO | 1.0 | Brad Wing |
Appendix A. Northeastern University Configuration Management Standard Summary
The table below summarizes the Northeastern University IT system environment minimum criteria for enabling configuration management capabilities within the Northeastern University IT system environments.
- The first column “Northeastern University Practice ID” identifies the related Northeastern University practice ID as defined in the NIST 800-171.
- The “Northeastern University Practice Statement” column includes the Northeastern University practices required to be met for that control.
- The third column, “Derived Requirement”, provides a description of the requirement derived from the high-level Northeastern University practice statement. Derived requirements were developed from analysis of the intent of the practice and the logical components required to satisfy the practice. In some instances, an Northeastern University practice statement may be derived into several requirements to be addressed to satisfy the Northeastern University practice.
- The final column, “Northeastern University IT system environment Criteria”, defines the minimum criteria (e.g., configurations, actions, responsibilities, practices, etc.) which the university will implement to satisfy the related Northeastern University practice.
| NIST 800-171Practice ID | NIST 800-171Practice Statement | Derived Requirement | Northeastern University Data Environment Criteria (Northeastern University Practice Implementation) |
|---|---|---|---|
| 3.4.1 | Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. | Configuration Baselines Management | The System Owner is responsible for: • Developing secure configuration baselines for system components (e.g., operating systems, firewalls, routers) and their component parts (e.g., hardware, software, firmware). • Industry vetted and approved configuration baselines (e.g., Center for Internet Security [CIS] benchmarks, Defense Information Systems Agency [DISA] Security Technical Implementation Guides [STIG] ) should be leveraged to the greatest extent possible when establishing secure configuration baselines for any Northeastern University IT system. • Documenting the approved configurations of each system component type listed in the organization’s asset inventory. • Ensuring configuration baselines are updated to capture approved changes to the component’s configuration to address approved changes in functionality or security guidance contained within the baseline. • Reviewing approved configuration baselines annually to ensure all approved changes were incorporated into the baseline to confirm the baseline considers current threats and updates to theIT system. |
| System Inventory Management | The System Owner is responsible for: • Creating and maintaining Northeastern University asset inventories to include all operational devices (e.g., laptops, mobile devices, physical servers). • Review this inventory for correctness at least twice a year. | ||
| 3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational systems. | Enforce Security Configurations | The System Administrator is responsible for: • Implementing strict configuration control over managed assets by ensuring only approved configuration baselines are deployed within operational environments processing Northeastern University Data. |
| Monitor Security Configurations | The System Owner is responsible for: • Annually reviewing configuration settings of operational systems to confirm the configurations of Northeastern University assets align with approved configuration baselines. • Documenting and ensuring proper approval is received for all deviations in security settings and system configurations from the approved configurations. | ||
| 3.4.3 | Track, review, approve, or disapprove, and log changes to organizational systems. | Change Advisory Board | The System Owner is responsible for: • Ensuring significant changes are approved by a simple majority of CAB membership. |
| The System Owner is responsible for: • Establishing and managing change requests to document, at a minimum: • The requestor • The system undergoing the change • The current setting • The proposed change • Rollback procedures • The rationale for the requested change • Approving standard changes and ensuring significant changes are reviewed by the CAB. | |||
| • Documenting the disposition of the request (e.g., approved, denied, deferred) following the CAB’s review and the timeline for implementing approved change requests. • Managing change request tickets to ensure they are tracked and recorded. • Presenting significant change requests to the CAB. | |||
| The CAB is responsible for: • Reviewing proposed significant changes for baseline configurations. • Approving changes if security risks imposed by the change are within acceptable risk tolerance levels established by the Northeastern University Risk Management Standard. | |||
| The System Administrator is responsible for: • Enacting approved change requests. • Updating change request tickets with: • The enactor’s name. • The date and time of change. • The final disposition of the requested change (e.g., successfully implemented). | |||
| 3.4.4 | Analyze the security impact of changes prior to implementation. | Security Impact | The System Owner is responsible for: • Performing security impact assessments to determine any risks associated with change (i.e., standard and significant) requests in accordance with the Northeastern University Risk Management Standard. • Documenting the security impact and associated risk of the requested change to the Northeastern University environment. • Presenting the risks of requested significant changes to the CAB prior to the Board’s review of the requested change. |
| 3.4.5 | Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. | Change Enforcement | The System Owner is responsible for: • Implementing configuration controls to ensure approved changes can only be implemented from approved services or workstations (e.g., privileged access from authorized workstations only, patches deployed from authorized servers). • Establishing maintenance windows to define when approved changes can be implemented within the Northeastern University Data environment. |
Appendix B. Configuration Management References
The following list of references are common industry standards used to carry out the configuration management criterion defined within this standard.
- NIST SP 800-70 Rev.4, National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final
- NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems. https://csrc.nist.gov/publications/detail/sp/800-128/final
- NIST SP 800-167, Guide to Application Whitelisting. https://csrc.nist.gov/publications/detail/sp/800-167/final
- Security Technical Implementation Guides (STIGs), DoD Cyber Exchange. https://public.cyber.mil/stigs/
- CIS Benchmarks, Center for Internet Security (CIS). https://learn.cisecurity.org/benchmarks