Campuses:

APPENDIX TO POLICY

Security Patching Standard

Objective

Apply security patches to the operating system and applications to protect University IT resources.

Security Controls

Patching Multi-user Systems (e.g., server, print server)

The following table defines the baseline security controls for patching multi-user systems.

ControlSecurity LevelStatus
IDDescriptionHighMediumLow
SP.A.01Monitor for security related patches for the operating system and applicationsRequiredRequiredRecommended 
SP.A.02Apply security patches within 30 days of release from the vendor or open source communityRequiredRequiredRequired 
SP.A.03Use operating systems and applications where the vendor or active open source community develop current security patchesRequiredRequiredRequired 
SP.A.04Document the plan for immediate response to zero-day vulnerabilities which include applying security patchesRequiredRecommendedOptionalNew
SP.A.05Document a process for managing the security patches for the operating system and applicationsRequiredRecommendedOptionalNew
SP.A.06Document the analysis and testing of security patches before deployment, or the analysis of the vulnerability remaining unpatchedRecommended 1RecommendedOptionalNew
SP.A.07Remove previous versions of applications if the patching process does not automatically remove older versionsRequiredRecommendedOptionalNew

Patching Single-user Systems (e.g., desktop, laptop)

The following table defines the baseline security controls for patching single-user systems.

ControlSecurity LevelStatus
IDDescriptionHighMediumLow
SP.B.01Monitor for security related patches for the operating system and applicationsRecommended 1RecommendedOptional 
SP.B.02Apply security patches within 30 days of release from the vendor or open source communityRequiredRequiredRequired 
SP.B.03Use operating systems and applications where the vendor or active open source community develop current security patchesRequiredRequiredRecommended 
SP.B.04Enable automatic updates for the operating system and applications, or use a University-provided service for managing the security patchesRequiredRequiredRequired 
SP.B.05Document the plan for immediate response to zero-day vulnerabilities which include applying security patchesRecommended 1RecommendedOptionalNew
SP.B.06Document a process for managing the security patches for the operating system and applicationsRecommended 1RecommendedOptionalNew
SP.B.07Document the analysis and testing of security patches before deployment, or the analysis of the vulnerability remaining unpatchedRecommended 1RecommendedOptionalNew
SP.B.08Remove previous versions of applications if the patching process does not automatically remove older versionsRequiredRecommendedOptionalNew

Patching Network Devices (e.g., firewall, switch, router, core node)

The following table defines the baseline security controls for patching network devices.

ControlSecurity LevelStatus
IDDescriptionHighMediumLow
SP.C.01Monitor for security related patches for the operating system and applicationsRequiredRequiredRecommended 
SP.C.02Apply security patches within 30 days of release from the vendor or open source communityRequiredRequiredRequired 
SP.C.03Use operating systems and applications where the vendor or active open source community develop current security patchesRequiredRequiredRequired 
SP.C.04Document the plan for immediate response to zero-day vulnerabilities which include applying security patchesRecommended 1RecommendedOptionalNew
SP.C.05Document a process for managing the security patches for the operating system and applicationsRecommended 1 RecommendedOptionalNew
SP.C.06Document the analysis and testing of security patches before deployment, or the analysis of the vulnerability remaining unpatchedRecommended 1RecommendedOptionalNew
SP.C.07Remove previous versions of applications if the patching process does not automatically remove older versionsRequiredRecommendedOptionalNew

1 This is required for systems in scope for credit card processing environment per PCI-DSS. This includes systems that support or store, process or transmit cardholder data.

Resources Covered

This applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted.

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

More information on Security Patching

Document Feedback