University of Minnesota  Appendix

Security Patch Management Standard

Sidebar

Expand all

Sidebar

Table of Contents

TOC placeholder

Governing Policy

Questions?

Please use the contact section in the governing policy.

Objective

Apply security patches to protect University IT resources. Inadequate security patching is a threat to the University IT infrastructure. For IT resources that do not comply with patching for critical security patches, access to the University network may be limited or disconnected.

Security Controls

Patching

The following table defines the baseline security controls for patching software including, but not limited to an operating system, application, and firmware. In cases where University Information Security issues a specific alert for a critical security patch, requirements within the alert supersede those listed below.

Control Security Level
ID Description High Medium Low
SPM.A.01 Periodically review a process for managing security patching (suggest: annual) Required Required
Effective July 2019
Recommended
SPM.A.02 Document the analysis and testing of security patches before deployment for systems that are not employing automatic updates, or the analysis of the vulnerability remaining unpatched Required
Effective July 2019
Recommended Optional
SPM.A.03 For multi-user systems: Follow a documented plan for immediate response to an active or expected exploit where mitigation includes applying security patches Required Required
Effective July 2019
Recommended
SPM.A.03 For single-user systems and network devices: Follow a documented plan for immediate response to an active or expected exploit where mitigation includes applying security patches Required
Effective July 2019
Required
Effective July 2019
Recommended
SPM.A.04 Monitor for security related patches Required Required Required
SPM.A.05 Apply security patches within 30 calendar days of release from the vendor or open source community Required Required Required
SPM.A.06 Remove previous versions of software if the patching process does not automatically remove older versions Required Required
Effective July 2019
Required
Effective July 2019

Resources Covered

This standard applies to IT resources owned or contracted by the University. This also applies to personally owned devices authorized to store University data designated as private-highly restricted or private-restricted .

Individuals Covered

This standard applies to University community members who use or manage University IT resources.

Related Information

Published Date

November 2014

Last Reviewed

April 2019