Purpose

All members of Clemson University are responsible for ensuring the confidentiality, integrity, and availability of university data and that of customer data stored on or within its computing environment. Clemson University has an obligation to provide appropriate protection against unauthorized use of its computing assets. Unauthorized use may take the form of malware threats, such as viruses, Trojans, worms, or other authorized configuration or code which could adversely affect the security of the system or its data entrusted on the system. Additionally, to provide sustainability and interoperability systems need to be updated routinely and intentionally. Effective implementation of this policy will limit the exposure and effect of common malware threats to the systems within this scope.

Persons, groups, systems affected

All CCIT employees and contractors

Policy

Servers owned by Clemson University and maintained by Clemson Computing and Information Technology (CCIT) must have and maintain up-to-date operating system (O/S) patches. A systems patch cycle for all server O/S shall be scheduled once per month, with no more than thirty (30) days between patch updates.

These servers, services, or applications will maintain current O/S, Application, or Security patch levels as recommended by the Software Manufacturer or by OISP to protect the asset from known compatibility and vulnerability issues. Any out of band patching will be done via levels of criticality as described below. Any intentional choice not to patch to current supported or recommended patch levels, or not implementing any out of band patch must be documented with justification as to why patching will be deferred, with reasons either for non-applicability or implemented mitigation methods and approved by the CISO or designee. (see Exceptions below)

Out-of –Band/Emergency Patching

Out of Band or emergency patches will be evaluated when issued by the vendor with an associated risk rating. All other patching will be applied based on the Common Vulnerabilities and Exposures (CVE) rating maintained in the National Vulnerability Database by NIST: Ratings with High severity within seven (7) calendar days; Medium severity within fifteen (15) calendar days; and all others within thirty (30) calendar days. Security has established the following rating scheme:

High (< 7 days)                         CVE rating of 10 and/or remotely exploitable

Medium (< 15 days)              CVE rating between 5-9

Low (< 30 days)                      CVE rating less than 5

Specifically for Microsoft systems:

Critical (< 7 days)                     A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.

Important (<15 days)            A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.

Moderate (< 30 days)           Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.

Low (< 30 days)                       A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

OISP will review all identified vulnerabilities and reserves the right to elevate any vulnerability rating and associated patches based on widespread exploitation or imminent threat to the environment. All patches, when practical, and assets are available, are to be tested in a non-production environment prior to deployment to production. A documented RFC is required for all changes to production to include patching.

Monitoring and Reporting

Teams responsible for applying patches are required to compile and maintain reporting metrics that summarize the outcome of each patching cycle. Patching activities will need to be recorded in already established Change Management Processes. These reports shall be used to evaluate the current patching levels of all systems and to assess the current level of risk. These reports shall be made available to OISP and Internal Audit upon request. Once every six months a meeting will be scheduled with ISO and OISP members to review the effectiveness of the current patching procedures as well as any system exceptions that have been allowed.

Enforcement

OISP, Internal Audit, and/or approved third party assessors may conduct random assessments to ensure compliance with policy without notice. Any system found in violation of this policy will require immediate corrective action, and may be disconnected from the university until the vulnerability is corrected. Violations shall be noted in Clemson University’s incident tracking system and support teams shall be requested to re-mediate the issue in a timely manner.

Exceptions

Due to the risk of sustaining operations there is the possibility that some patches or updates may be approved to be installed on a different schedule than this policy allows. These will be evaluated on a case by case basis to be approved by OISP with SME input from the appropriate support staff and business owner. Exceptions to the patch management policy will require formal documented approval from OISP. Any servers or systems that do not comply with this policy must have a documented approved exception by OISP.

An ITHelp ticket for all exceptions is required. Select the Server Patch Management Exception template for assistance with ticket creation. Each ticket will be reviewed by OISP, then either approved or more information will be requested from the submitter. Any system that does not have an approved exception ticket, and is not included in the patch schedule set forth in this policy, will be deemed by OISP to be out of compliance and in violation of this policy.

Procedures and compliance references

http://www.clemson.edu/ccit/help_support/cm/maintenance_windows.html

Revision History