All systems and software must be maintained according to the following guidelines.
Routine patching must be scheduled every 30 days for University managed endpoints, servers, software and mobile devices. This includes maintaining current Operating System (OS), Application, or Security patch levels as recommended by the Software Manufacturer or by OIS. Routine patching should be accomplished during to the applicable CCIT Maintenance Windows.
Out of Band/Emergency Patching
Out of Band or emergency patches will be evaluated when issued by the Software Manufacturer with an associated risk rating. In most cases this is based on the Common Vulnerabilities and Exposures (CVE) rating maintained in the National Vulnerability Database or the rating assigned by Microsoft for identified vulnerabilities.
The table below outlines the maximum time to apply patches based on the CVE or Microsoft Rating.
|High||Critical||< 7 Days|
|Medium||Important||< 15 Days|
|Low||Moderate / Low||< 30 Days|
OIS will review all identified vulnerabilities and reserves the right to elevate any vulnerability rating and associated patches based on widespread exploitation or imminent threat to the environment. When practical, all patches and assets are to be tested in a non-production environment prior to deployment to production. A documented RFC is required for all changes to production, to include patching.
Vulnerability Scan Remediation
OIS performs regular vulnerability scans of systems and software on the University network. Identified vulnerabilities will be prioritized based on severity, asset criticality, and mitigating factors. System owners are responsible for remediating prioritized vulnerabilities in a timely fashion.
Personally Owned Devices
Personal devices must be using current vendor supported operating systems and software before connecting to University resources or storing and processing University data.
May 26, 2020