APPENDIX TO POLICY

Security Patching Standard

Objective

Apply security patches to the operating system and applications to protect University IT resources.

Security Controls

Patching Multi-user Systems (e.g., server, print server)

The following table defines the baseline security controls for patching multi-user systems.

Control Security Level
ID Description High Medium Low
SP.A.01 Monitor for security related patches for the operating system and applications Required Required Recommended
SP.A.02 Apply security patches within 30 days of release from the vendor or open source community Required Required Required
SP.A.03 Use operating systems and applications where the vendor or active open source community develop current security patches Required Required Required
SP.A.04 Document the plan for immediate response to zero-day vulnerabilities which include applying security patches Required Recommended Optional
SP.A.05 Document a process for managing the security patches for the operating system and applications Required Recommended Optional
SP.A.06 Document the analysis and testing of security patches before deployment, or the analysis of the vulnerability remaining unpatched Recommended 1 Recommended Optional
SP.A.07 Remove previous versions of applications if the patching process does not automatically remove older versions Required Recommended Optional

Patching Single-user Systems (e.g., desktop, laptop)

The following table defines the baseline security controls for patching single-user systems.

Control Security Level
ID Description High Medium Low
SP.B.01 Monitor for security related patches for the operating system and applications Recommended 1 Recommended Optional
SP.B.02 Apply security patches within 30 days of release from the vendor or open source community Required Required Required
SP.B.03 Use operating systems and applications where the vendor or active open source community develop current security patches Required Required Recommended
SP.B.04 Enable automatic updates for the operating system and applications, or use a University-provided service for managing the security patches Required Required Required
SP.B.05 Document the plan for immediate response to zero-day vulnerabilities which include applying security patches Recommended 1 Recommended Optional
SP.B.06 Document a process for managing the security patches for the operating system and applications Recommended 1 Recommended Optional
SP.B.07 Document the analysis and testing of security patches before deployment, or the analysis of the vulnerability remaining unpatched Recommended 1 Recommended Optional
SP.B.08 Remove previous versions of applications if the patching process does not automatically remove older versions Required Recommended Optional

Patching Network Devices (e.g., firewall, switch, router, core node)

The following table defines the baseline security controls for patching network devices.

Control Security Level
ID Description High Medium Low
SP.C.01 Monitor for security related patches for the operating system and applications Required Required Recommended
SP.C.02 Apply security patches within 30 days of release from the vendor or open source community Required Required Required
SP.C.03 Use operating systems and applications where the vendor or active open source community develop current security patches Required Required Required
SP.C.04 Document the plan for immediate response to zero-day vulnerabilities which include applying security patches Recommended 1 Recommended Optional
SP.C.05 Document a process for managing the security patches for the operating system and applications Recommended 1 Recommended Optional
SP.C.06 Document the analysis and testing of security patches before deployment, or the analysis of the vulnerability remaining unpatched Recommended 1 Recommended Optional
SP.C.07 Remove previous versions of applications if the patching process does not automatically remove older versions Required Recommended Optional

1 This is required for systems in scope for credit card processing environment per PCI-DSS. This includes systems that support or store, process or transmit cardholder data.

Resources Covered

This applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted .

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

More information on Security Patching

Document Feedback