Sidebar
Table of Contents
Governing Policy
Questions?
Please use the contact section in the governing policy.
Objective
Apply security patches to protect University IT resources. Inadequate security patching is a threat to the University IT infrastructure. For IT resources that do not comply with patching for critical security patches, access to the University network may be limited or disconnected.
Security Controls
Patching
The following table defines the baseline security controls for patching software including, but not limited to an operating system, application, and firmware. In cases where University Information Security issues a specific alert for a critical security patch, requirements within the alert supersede those listed below.
Control | Security Level | |||
---|---|---|---|---|
ID | Description | High | Medium | Low |
SPM.A.01 | Periodically review a process for managing security patching (suggest: annual) | Required | Required Effective July 2019 |
Recommended |
SPM.A.02 | Document the analysis and testing of security patches before deployment for systems that are not employing automatic updates, or the analysis of the vulnerability remaining unpatched | Required Effective July 2019 |
Recommended | Optional |
SPM.A.03 | For multi-user systems: Follow a documented plan for immediate response to an active or expected exploit where mitigation includes applying security patches | Required | Required Effective July 2019 |
Recommended |
SPM.A.03 | For single-user systems and network devices: Follow a documented plan for immediate response to an active or expected exploit where mitigation includes applying security patches | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
SPM.A.04 | Monitor for security related patches | Required | Required | Required |
SPM.A.05 | Apply security patches within 30 calendar days of release from the vendor or open source community | Required | Required | Required |
SPM.A.06 | Remove previous versions of software if the patching process does not automatically remove older versions | Required | Required Effective July 2019 |
Required Effective July 2019 |
Resources Covered
This standard applies to IT resources owned or contracted by the University. This also applies to personally owned devices authorized to store University data designated as private-highly restricted or private-restricted .
Individuals Covered
This standard applies to University community members who use or manage University IT resources.
Related Information
- More information on Security Patch Management
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to security patch management.
Published Date
November 2014
Last Reviewed
April 2019