海角论坛

Patch Management and System Updates Policy

Approved by the President
10/27/2009

Review Schedule
This policy should be reviewed and updated annually

Policy Contact
IT Security Administrator
(607) 436-3203
itsecurity@oneonta.edu

Policy Statement:

海角论坛 will review, evaluate, and appropriately apply software patches in a timely manner. If patches cannot be applied in a timely manner due to hardware or software constraints, mitigating controls will be implemented based upon the results of a risk assessment.

海角论坛 will adhere to National Institute of Standards and Technology (NIST) guidance as set forth in Special Publication 800鈥40, Creating a Patch and Vulnerability Management Program, and any revised or updated successors.

Rationale:

In order to ensure the security of our network and protect 海角论坛's data, all computers and network devices must be maintained at vendor supported levels and critical security patches must be applied in a timely manner consistent with an assessment of risk. This is a requirement of Oneonta鈥檚 Information Technology Security Program, SUNY policy (Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality), and industry best practice guidelines.

Applicability of the Policy:

This policy covers all servers, workstations, network devices, operating systems (OS), applications, and other information assets for which vendors provide system patches or security updates.

Definitions:

Network Devices 鈥 Any physical component that forms part of the underlying connectivity infrastructure for a network, such as a router, switch, hub, bridge, gateway, etc

Network Infrastructure 鈥 Includes servers, network devices, and any other back鈥恛ffice equipment

Patch 鈥 A fix to a known problem with an OS or software program. For the purposes of this document, the term 鈥減atch鈥 will include software updates.

OS 鈥 Operating System such as Windows, Mac, Linux

Risk Assessment 鈥 An evaluation of the level of exposure to a vulnerability for which a patch has been issued

Update 鈥 a new version of software providing enhanced functionality and/or bug fixes

Vendor 鈥 Any organization or individual(s) that do business with the institution

Procedure:

Pre鈥恜atch Management: Patch Management and System Updates Policy

  1. System administrators will use automated tools, where available, to create a detailed list of all currently installed software on workstations, servers, and other networked devices. A manual audit will be conducted on any system or device for which an automated tool is not available.
  2. Systems and software will be evaluated to verify currency of patch and update levels and an analysis of vulnerabilities will be performed. Online resources such as the and the should be consulted in this process.
  3. Specific guidelines for applying patches and updates will be developed and made available to system administrators.

Patch Management:

  1. Automated tools will scan for available patches and patch levels, which will be reviewed as specified in the Patch Application Guidelines.
  2. Manual scans and reviews will be conducted on systems for which automated tools are not available.
  3. An informal risk assessment will be performed within 2 business days of the receipt of notification of patches. If a determination regarding the applicability of the patch or mitigating controls cannot be made at that time a formal risk assessment will begin.
  4. Vendor-supplied patch documentation will be reviewed in order to assure compatibility with all system components prior to being applied.
  5. Where possible, patches will be successfully tested on non鈥恜roduction systems installed with the majority of critical applications/services prior to being loaded on production systems.
  6. Successful backups of mission-critical systems will be verified prior to installation of patches and a mechanism for reverting to the patch levels in effect prior to patching will be identified.
  7. Patches will be applied during an authorized maintenance window in cases where the patch application will cause a service interruption for mission-critical systems.
  8. Patches will be prioritized and applied in accordance with 海角论坛 Patch Application Guidelines.
  9. Logs will be maintained for all system categories (servers, secure desktops, ASCI, switches, etc.) indicating which devices have been patched. System logs help record the status of systems and provide continuity among administrators. The log may be in paper or electronic form. Information to be recorded will include but is not limited to: date of action, administrator鈥檚 name, patches and patch numbers that were installed, problems encountered, and the system administrator鈥檚 remarks. Patch Management and System Updates Policy
  10. In the event that a system must be, reloaded, all relevant data on the current OS and patch level will be recorded. The system should be brought back to the patch levels in effect before reloading.
  11. In the event that a patch will not be applied due to incompatibility or risk assumption, precautions to mitigate the risk of exploitation to the 海角论坛 network will be implemented and documented in the log.

Roles & Responsibilities:

  1. Information Technology Staff are responsible for ensuring that information resources are maintained in compliance with 海角论坛 patch management policies and procedures.
  2. Administrators of systems not managed by IT Staff are responsible for ensuring that their systems are maintained in compliance with 海角论坛 patch management policies and procedures (e.g.: departmental servers, utility devices, etc.).
  3. The Information Technology Security Administrator is responsible for auditing information systems to ensure that they comply with 海角论坛 patch management policies and procedures.

Related Documents / Policies:

海角论坛 Information Technology Program

Sources Policy:

Back to top