University of Minnesota
University Relations
http://www.umn.edu/urelate
612-624-6868
University of Minnesota
POLICY LIBRARY
APPENDIX
University of Minnesota
University of Minnesota
University M logo on copper background
APPENDIX
Home : Information Technology : Acceptable Use and Information Security

Security Patching Standard

Related Policy: Information Security
CONSULTED WITH: Faculty Consultative Committee

Printed on: . Please go to http://policy.umn.edu for the most current version of the Policy or related document.

Objective

Apply security patches to the operating system and applications to protect University IT resources.

Security Controls

Patching Multi-user Systems (e.g., server, print server)

The following table defines the baseline security controls for patching multi-user systems.

Control Security Level Status
ID Description High Medium Low
SP.A.01 Monitor for security related patches for the operating system and applications Required Required Recommended  
SP.A.02 Apply security patches within 30 days of release from the vendor or open source community Required Required Required  
SP.A.03 Use operating systems and applications where the vendor or active open source community develop current security patches Required Required Required  
SP.A.04 Document the plan for immediate response to zero-day vulnerabilities which include applying security patches Required Recommended Optional New
SP.A.05 Document a process for managing the security patches for the operating system and applications Required Recommended Optional New
SP.A.06 Document the analysis and testing of security patches before deployment, or the analysis of the vulnerability remaining unpatched Recommended1 Recommended Optional New
SP.A.07 Remove previous versions of applications if the patching process does not automatically remove older versions Required Recommended Optional New

 

Patching Single-user Systems (e.g., desktop, laptop)

The following table defines the baseline security controls for patching single-user systems.

Control Security Level Status
ID Description High Medium Low
SP.B.01 Monitor for security related patches for the operating system and applications Recommended1 Recommended Optional  
SP.B.02 Apply security patches within 30 days of release from the vendor or open source community Required Required Required  
SP.B.03 Use operating systems and applications where the vendor or active open source community develop current security patches Required Required Recommended  
SP.B.04 Enable automatic updates for the operating system and applications, or use a University-provided service for managing the security patches Required Required Required  
SP.B.05 Document the plan for immediate response to zero-day vulnerabilities which include applying security patches Recommended1 Recommended Optional New
SP.B.06 Document a process for managing the security patches for the operating system and applications Recommended1 Recommended Optional New
SP.B.07 Document the analysis and testing of security patches before deployment, or the analysis of the vulnerability remaining unpatched Recommended1 Recommended Optional New
SP.B.08 Remove previous versions of applications if the patching process does not automatically remove older versions Required Recommended Optional New

 

Patching Network Devices (e.g., firewall, switch, router, core node)

The following table defines the baseline security controls for patching network devices.

Control Security Level Status
ID Description High Medium Low
SP.C.01 Monitor for security related patches for the operating system and applications Required Required Recommended  
SP.C.02 Apply security patches within 30 days of release from the vendor or open source community Required Required Required  
SP.C.03 Use operating systems and applications where the vendor or active open source community develop current security patches Required Required Required  
SP.C.04 Document the plan for immediate response to zero-day vulnerabilities which include applying security patches Recommended1 Recommended Optional New
SP.C.05 Document a process for managing the security patches for the operating system and applications Recommended1 Recommended Optional New
SP.C.06 Document the analysis and testing of security patches before deployment, or the analysis of the vulnerability remaining unpatched Recommended1 Recommended Optional New
SP.C.07 Remove previous versions of applications if the patching process does not automatically remove older versions Required Recommended Optional New

1 This is required for systems in scope for credit card processing environment per PCI-DSS. This includes systems that support or store, process or transmit cardholder data.

Resources Covered

This applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted.

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

More information on Security Patching

Document Feedback

Did this document successfully answer your questions?

Additional comments: (2000 character limit)

Email Address: (so we can respond to your questions)

© 2013 Regents of the University of Minnesota. All rights reserved.
The University of Minnesota is an equal opportunity educator and employer.
Last modified on September 24, 2013