Skip to main content

Configuration Change Policy

Purpose

iEHR is responsible for ensuring the confidentiality, integrity, and availability of all Protected Health Information (PHI) stored on its systems. iEHR has an obligation to provide appropriate protection against threats, which could adversely affect the security of the system or its data entrusted on the system. Implementation of this policy will limit the exposure and possible effects of common threats to the systems.

Scope

The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by iEHR. All users are responsible for adhering to this policy.

Definitions

  1. Email: The electronic transmission of information through a mail protocol such as SMTP, POP, or IMAP.
  2. User: any employee or other person authorized by iEHR to read, enter or update information created or transmitted via the electronic mail system.

Policy

  1. The Security Officer will be responsible for implementing this policy, and ensuring users comply with it.
  2. Baseline Configuration
    1. Develop, document, and maintain a current baseline configuration of Information Systems.
    2. The baseline configuration must be reviewed and updated based on environment changes.
    3. At minimum, the baseline configuration shall include:
      1. Standard operating system/installed applications with current version numbers.
      2. Standard software load for workstations, servers, network components, and mobile devices and laptops.
      3. Up-to-date patch level information.
      4. Network topology.
      5. Logical placement of the component within the system and enterprise architecture.
      6. Technology platform.
    4. Maintain a baseline configuration for development and test environments that is managed separately from the operational baseline configuration.
    5. Monitor systems for security baselines and policy compliance.
  3. Configuration Change Control
    1. Perform change control for key Information Systems. This shall include:
      1. Determining the type of changes to the information asset that are configuration controlled.
      2. Approving configuration-controlled changes to the system with explicit consideration for security impact analysis.
      3. Documenting approved configuration-controlled changes to the system.
      4. Retaining and reviewing records of configuration-controlled changes to the system.
      5. Auditing activities associated with configuration-controlled changes to the system.
        1. Auditing of changes must include changes in activity before and after a change is made to the information system and the auditing activities required to implement the change.
      6. Coordinating and providing oversight for configuration change control activities through Change Control Board (CCB) that convenes monthly.
      7. Configuration change control for the information system shall involve the systematic proposal, justification, implementation, test/evaluation, review, and disposition of changes to the system, including upgrades and modifications.
      8. Configuration change control includes changes to components of the information system, changes to the configuration settings for information technology products, emergency changes, and changes to remediate flaws.
  4. Security Impact Analysis
    1. Analyze changes to the Information Systems to determine potential security impacts prior to change implementation.
    2. Security impact analysis may include reviewing information system documentation, such as the security plan, to understand how specific security controls are implemented within the system and how the changes might affect the controls.
    3. Security impact analysis may also include an assessment of risk to understand the impact of the changes and to determine if additional security controls are required.
    4. Security impact analysis is scaled in accordance with the security categorization of the information system.
  5. Access Restrictions for Change
    1. Define, document, approve, and enforce physical and logical access restrictions with changes to the information asset.
    2. Only qualified and authorized individuals are allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
    3. No local administrative rights will be granted without the submission of an exemption form or approval by the Security Officer or Information Systems Officer (ISO).
    4. Maintain records of access to ensure configuration change control is being implemented as intended, and for supporting alterations should the organization become aware of an unauthorized change to the information system.
    5. Create and maintain logical and physical access control lists that authorize qualified individuals to make changes to an information system or component.
    6. Access restrictions for change also include software libraries.
    7. Limit information system developer/integrator privileges to change hardware, software, and firmware components and system information directly within a production environment.
    8. Review and reevaluate information system developer/integrator privileges annually.
  6. Configuration Settings
    1. Establish, document, implement and monitor mandatory configuration settings for IT products employed within the information asset using a security configuration checklist that reflects the most restrictive mode consistent with operational requirements.
    2. Any exceptions to the mandatory configuration settings within the information asset must be identified, documented, and approved prior to ongoing use.
    3. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
  7. Least Functionality
    1. Configure the information asset to provide only essential capabilities and specifically prohibit or restrict the use of the following functions, ports, protocols, and/or services.
    2. Any exceptions to baseline security configurations must be documented by security operations staff in writing and approved by the ISO.
    3. Security operations staff shall maintain records confirming the implementation of baseline security configurations for each IT system they manage.
    4. Security baseline implementation records will be audited annually by the ISO, to verify the implementation of the appropriate baseline security configurations.
    5. Security operations staff shall perform network vulnerability scans of all server and desktop computers annually.
      1. The ISO shall review the results of the IT system vulnerability scans when completed.
      2. Sensitive internal-facing web applications will be scanned for vulnerabilities annually. Sensitive external-facing web applications must be scanned for vulnerabilities annually. This scanning may be performed by security operations staff or system owners as is appropriate and convenient.
      3. All identified operating system and application vulnerabilities will be remediated without undue delay according to the severity and risk.
    6. Where feasible, the organization will limit component functionality to a single function per device (e.g., email server or web server, not both).
  8. Information System Component Inventory
    1. Develop, document, and maintain an inventory of the information asset components that exist within their area.
    2. Inventory detail must:
      1. Be maintained at a sufficient level for purposes of tracking and reporting.
      2. Be consistent with the authorization boundary of the information system.
      3. Be at the level of granularity deemed necessary for tracking and reporting.
      4. Include organization-defined information deemed necessary to achieve effective property accountability, such as:
        1. Hardware inventory specifications (manufacturer, type, model, serial number, physical location).
        2. Software license information.
        3. Information system/component owner.
        4. For a networked component/device, the machine name and network address.
    3. Updated system and network diagrams must be maintained.
    4. The inventory must be made available for review and audit by designated organizational officials.
    5. The inventory must be updated as an integral part of component installations, removals, and information system updates.
    6. The inventory must include assessed component configurations and any approved deviations to current deployed configurations.
    7. The inventory must include any information determined to be necessary by the organization to achieve effective property accountability including, but not limited to:
      1. Manufacturer
      2. Type
      3. Model
      4. Serial number
      5. Physical location
      6. Software license information
      7. Information system/component owner
      8. Associated component configuration standard
      9. Software/firmware version information
      10. Networked component/device machine name or network address
  9. Configuration Management Plan
    1. Develop, document, and implement a configuration management plan for the information asset that:
      1. Addresses roles, responsibilities, and configuration management processes and procedures.
      2. Defines the configuration items for the information asset and that, when in the system development life cycle, the configuration items are placed under configuration management.
      3. Establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the configuration of the configuration items.
      4. Assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.
      5. Defines detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level.
      6. Describes how to move a change through the change management process, how configuration settings and configuration baselines are updated, how the information system component inventory is maintained, how development, test, and operational environments are controlled, and finally, how documents are developed, released, and updated.
    2. The configuration management approval process must include:
      1. Designation of key management stakeholders who are responsible for reviewing and approving proposed changes to the information system.
      2. Designation of security personnel that would conduct an impact analysis prior to the implementation of any changes to the system.
    3. In the absence of a dedicated configuration management team, the system integrator may be tasked with developing the configuration management process.

Violations

Any individual, found to have violated this policy, may be subject to disciplinary action up to and including termination of employment. Violations shall be noted in the iEHR issue tracking system and support teams shall be dispatched to remediate the issue.