University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

Configuration Management and Change Management

UPPM 87.30

For more information contact:
Information Technology Services

1.0 Overview and Purpose
- 1.1 Information Assurance Policies Generally
- 1.2 Specific Policy Overview and Purpose
2.0 Applicability
3.0 Roles and Responsibilities
4.0 Requirements
5.0 Training

1.0 Overview and Purpose

1.1 Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability.

To determine the potential consequence of a loss event, the Federal Information Processing Standards:

Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
Dictate which security controls are mandatory based upon the categorization level;
Define the strength, frequency, and formalization of those controls; and
Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2 Specific Policy Overview and Purpose

Managing configuration and change activities protects the confidentiality, integrity, and availability of WSU institutional data and information systems. By establishing requirements for consistent configuration and change management practices, this policy provides a framework that enables WSU to maintain secure, reliable, and well‑managed IT environments.

2.0 Applicability

This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0 Roles and Responsibilities

3.1 Chief Information Officer

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2 Information System Owners

Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation.

3.3 Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

4.0 Requirements

4.1 General

WSU shall establish a System Change Control Board (CCB) to govern changes that have cross-area, enterprise, or institution-wide impact. The CCB is responsible for evaluating proposed changes, assessing operational and security risk, reviewing testing and rollback plans, coordinating implementation across affected entities, and approving or denying changes prior to deployment.

Each WSU area shall develop, document, and maintain a configuration and change management process for managing changes within its area of responsibility. Area-level changes that do not affect other areas or shared institutional services may follow the area’s internal process. Changes with potential effects beyond the area shall be elevated to the CCB for coordinated review and approval.

WSU Information System Owners, or their delegates, must develop and maintain a system component inventory that includes all components of the system.

WSU Information System Owners, or their delegates, must develop, implement, and maintain a configuration management plan that addresses processes and procedures for identifying configuration items and placing those items under configuration management.

All changes to WSU information systems are to be analyzed to determine potential security and privacy impacts prior to change implementation.

Only qualified and authorized individuals are permitted to access information systems to initiate changes, upgrades, or other modifications in accordance with UPPM 87.60.

Configuration baselines are to be created for computing resources after any major change to an existing system configuration item and after system component installations and/or upgrades. Baselines are to be configured to provide the least functionality to support business and mission objectives and be reviewed on a defined schedule.

Baseline images are to be labeled with their FIPS-199 impact classification and maintained with the highest level of security in accordance with UPPM 87.53 and stored in accordance with UPPM 87.62.

Processes and procedures are to be developed to manage WSU cryptographic mechanisms.

WSU Information System Owners, or their delegates, are to ensure maintenance of systems and system components, including non-local maintenance, is performed promptly by authorized and competent personnel with appropriate access. Procedures are to be implemented for maintenance personnel who lack appropriate access authorization.

WSU Information System Owners, or their delegates, are to ensure non-local maintenance and diagnostic services performed on systems are performed by systems or services with a comparable security posture or higher.

Nonlocal maintenance and diagnostic activities of WSU must be documented in the system security plan of the system and employ strong authentication mechanisms for system access. Network connections for nonlocal maintenance are to be terminated when maintenance is complete.

Security configuration baselines are to include all necessary and approved software and configuration settings in accordance with UPPM 87.40.

WSU Information System Owners, or their delegates, must ensure software, and associated documentation, is used in accordance with contractual agreements and copyright law.

WSU Information System Owners, or their delegates, must document and control the use of peer-to-peer file distribution software.

WSU Information System Owners, or their delegates, must establish, monitor, and enforce a policy for governing user-installed software.

4.2 Moderate- and High-Impact Systems

In addition to the above, the following requirements apply to all moderate- and high-impact systems.

System component inventories for moderate- and high-Impact systems are to be updated during installation and removal of the components.

For moderate- and high-impact systems, Information System Owners are to use automated mechanisms to maintain the completeness and accuracy of component inventories.

All information system change requests for moderate- and high-impact systems must be tested, validated, and documented in a separate test environment prior to being submitted to the CCB.

WSU employees with access to moderate- or high-impact systems or components known to be travelling to high-risk areas (e.g., foreign countries), are to be issued systems or components by the WSU area unit with configurations and controls to counter any increased threat in accordance with UPPM 95.01 and 95.53.

WSU Information System Owners, or their delegates, are to ensure tools used in the maintenance of moderate- and high-impact systems are controlled, periodically reviewed for utility, and inspected for unauthorized modifications and/or presence of malicious code.

Configuration baselines of moderate- and high-impact systems are to be reviewed to identify and disable unnecessary services.

WSU must utilize an automated configuration management process to manage moderate- and high-impact baseline security configurations. Current and previous versions of the baseline configurations are to be maintained to support rollback.

Response actions must be taken when unauthorized changes to configuration-controlled settings of moderate- and high-impact systems are detected.

WSU Information System Owners, or their delegates, must prevent unauthorized removal of WSU information from maintenance equipment by verifying tools used in the maintenance of moderate- and high-impact information systems do not store, share, or otherwise retain WSU data.

Following changes to moderate- and high-impact systems, Information System Owners, or their delegates, are to verify the changes were implemented correctly, operating as intended, and producing the desired outcome regarding security and privacy requirements of the system.

WSU Information System Owners, or their delegates, must identify authorized software on moderate- and high-impact systems and prevent unauthorized programs from executing.

4.3 High-Impact Systems

In addition to the above, the following requirements apply to all high-impact systems.

Physical and/or logical access to high-impact systems must use automated access enforcement mechanisms and automatically generate access audit records.

Automated mechanisms are to be used to perform maintenance activities on high-impact systems.

High-impact systems are to use automated mechanisms to report and document information system changes.

File integrity checking is to be performed on high-impact system images and baselines on a regular schedule.

5.0 Training

See UPPM 87.21 for training requirements related to UPPM Chapter 87.

In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.

_______________________
Revisions: March 2026 (Rev. 654); July 2020 – new policy (Rev. 552)