IT0125 – Configuration Management

Effective: March 11, 2015
Revision No: 1

To establish policy for a security-focused Configuration Management program to ensure compliance with minimally acceptable system configuration requirements.


This policy applies to all users of and information technology (IT) resources owned, operated, or provided by the University of Tennessee System including its campuses, institutes, and administration (University and/or Campuses).

“Users” includes but is not limited to students, faculty, staff, contractors, agents, representatives, and visitors accessing, using, or handling the University’s information technology resources.

Information transmitted or stored on University IT resources is the property of the University unless it is specifically identified as the property of other parties.


The University has chosen to adopt the policy principles established in the National Institute of Standards (NIST) 800 series of publications, and this policy is based on those guidelines.

The Chancellor or equivalent at each Campus must designate an individual or functional position responsible for information security at their Campus (Position of Authority and/or Campus Authority). The individual or position should be at a high enough organizational level to allow him/her/it to speak with authority on and for the Campus.

Each Campus must develop or adopt and adhere to a program which demonstrates compliance with this policy and related standards. This program is the responsibility of the Position of Authority.

A Campus may apply more stringent requirements than those documented in this policy provided they do not conflict with or lower the standards or requirements established by this or any other University policy.

Each User of University resources is required to be familiar and comply with University policies. Acceptance of this policy is assumed if a User accesses, uses, or handles University resources.


Each Campus must:

  1. Develop and document necessary procedures, guidelines, and practices to facilitate the implementation of appropriate and effective system Configuration Management controls.
  2. Develop a systems Configuration Management plan for business-critical systems designated and approved by the campus Position of Authority, that:
    1. Addresses roles, responsibilities and the Configuration Management process.
    2. Establishes a process for defining configuration-controlled items throughout a systems’ lifecycle, and items to be placed under Configuration Management.
    3. Documents and maintains a current Baseline Configuration of information systems that accurately reflects the level of granularity that is deemed necessary for proper tracking and reporting.
    4. Ensures software and associated documentation are:
      1. Used in accordance with contracts and applicable laws, including copyright laws.
      2. Tracked to ensure no unauthorized copying or distribution of licenses.
    5. Governs user-installed software.
  3. Develop, document and maintain a Configuration Change Control process that reflects the types of changes to information systems that are configuration-controlled.
  4. Review and update configuration policy and procedures annually.
  5. Provide appropriate role-base Configuration Management training for information technology personnel.




  1. Configuration Management -  comprises a collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems.
  2. A Baseline Configuration - is a set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The Baseline Configuration is used as a basis for future builds, releases, and/or changes.
  3. Configuration Change Control - is a process for managing changes to the Baseline Configurations for Configuration items.
  4. Position of Authority - is that person, as designated by the Chancellor, who is responsible for information security at their Campus

Last Reviewed:

March 11th, 2015

↑ Back to Top