Security Patch Management
Standard and Process
See the specific requirements in the Security Patch Management Standard in the University Policy library. The following supplements the requirements in University policy.
Vendors (or the open source community) periodically publish a security patch for their software (e.g., operating system, application program, firmware). A security patch fixes a security vulnerability. Install security patches when made available and follow the instructions to ensure that the patch is applied (e.g., some patches require a restart of the system or device).
Document and follow a process to manage security patching, which includes the following:
- identification of security patches to apply;
- analysis and testing of security patches, or the analysis of the vulnerability remaining unpatched;
- change control process for scheduled or emergency patching;
- escalation with management sign off for critical security patches which cannot be applied within 30 days of release or when notified that patching must occur sooner;
- immediate response for patching for an active exploit.
Older versions of operating systems, applications, or firmware increase the risk of the software not having current security patches developed. Installation of newer versions of the operating system, application program, or firmware may be needed.
Technical staff are responsible for working with users, data owners, data custodians, and service owners to develop security patch plans for University resources.
Users, data owners, data custodians, and service owners need to work with Technical staff to understand and follow the security patch plan. This may include connecting the computer to the University network to download patches and restarting the computer to apply the security patches.
See the Information Security policy appendices for additional information security standards that also apply.
- This standard is based on the principles of ISO/IEC 27002:2005.
Document Owner: University Information Security
Document Approvers: Brian Dahlin, Chief Information Security Officer; Bernard Gulachek, VP of Information Technology and Chief Information Officer
Effective Date: August 2010
Last Reviewed Date: May 2019