University Policies

Configuration Management Policy

University Technology Services
University Technology Services

The failure to upgrade systems, install patches in a consistent and timely manner, and configure systems to eliminate known security weaknesses can create significant risk for the enterprise IT environment.

Configuration management must be employed on all computing and communications software assets.

  •  Worcester State must document the configuration of each computing and networking asset. The documentation must contain a unique identifier, operating system (OS), versions, patches, and dates of patch. A listing of all software titles installed on each platform, with version, batches, and dates the patches installed are to be included in the documentation.
  • Software updates and patches must be researched, tested, and verified by appropriate personnel before installing on any Worcester State asset, and only applicable upgrades and patches can be applied to enterprise assets.
  • Updates for common software titles used by Worcester State will be made accessible to all users of the Worcester State enterprise network after testing has been completed. Software updates and patches must only be acquired from the approved Worcester State enterprise network location or designate third party.
  • A list of approved software packages and version numbers for use on computers connected to the Worcester State enterprise network must be posted and made accessible to all users of the network. Critical security patches must be applied within 48 business hours of their availability whenever possible.
  • Standard configurations must be documented for, but not limited to, the type of OS. Configurations must include any modification that is not made by the “out of the box” default install (e.g., IP address of a server). Configurations must include any security-related modifications, and must be approved by the Data Security Officer who will inform the CIO. Configuration documentation must be made assessable to all users of the Worcester State enterprise network.
  • If other-than-standard software is required to perform an employee’s duties, authorization from his/her manager is required. The CIO or designee is to ensure that it is compatible with the Worcester State enterprise network and all associated Policies must evaluate any other-than-standard software.
  • System configuration standards are consistent with industry standards.