Configuration Management and Change Control

General

This section implements Integrated CSU Administrative Manual (ICSUAM) Policies 8050.0 and 8055.0.

Hardware and Software Configuration Management

The campus consults with T&I before each software and hardware purchase made. These purchases are reviewed by T&I for compatibility and inter-operability with the campus common environment, including security and authentication capabilities.

Whenever practical, T&I will utilize CSU and/or CI-standard configurations for devices and systems.

Each University-issued laptop, desktop or workstation is imaged with a common suite of operating system software and applications, including security software, and is configured to use University resources for authentication and management.

T&I will evaluate all software products or services purchased for security capabilities and integration into the campus security environment. Additionally, products or services that will transmit or store Level 1 and Level 2 data must receive a written information security review from the Information Security Officer or designee.

Software Configuration Management - Applications

The source code and other required configuration information for each application developed by T&I is kept in a centrally-managed repository. The repository also provides an audit log of changes made to T&I applications. T&I Infrastructure staff regularly back up this repository to prevent the loss of the University’s intellectual property.

T&I Change Control

CSU Channel Islands employs a formal change control process. All changes to production T&I systems are regulated by the T&I Business Practice for Change Control, BP-00-002. The Change Control process requires that all changes to production systems be logged, and certain changes must receive administrative approval.

Except for emergency changes required to prevent or respond to an outage, each change to a system storing or transferring Level 1 or Level 2 data, or changes could affect more than ten per cent of the University’s population, require the approval of the Change Control Board, Information Security Officer and Chief Information Officer.