Ģ����Ƶ

Purpose

Standard

1. Enterprise servers
   1. All university owned servers will be maintained with the latest security patches to their operating systems and applications.
   2. Each unit is responsible for OHIO Systems under their control.  Units must ensure that their staff maintain knowledge of patch releases either through subscribing to the appropriate notification list or by direct notification from the vendor.  When a patch is announced, an authorized system administrator must document the change including criticality rating according to the OIT change management policy. Critical ratings are generally supplied by vendors, but in the case that no criticality is supplied, the system administrator must assign a criticality rating based on their experience, the classification of the data (per Policy 93.001 Data Classification) contained on the server, and the level of risk to the institution in the event of compromise. 

   3. All high/critical patches must be applied as soon as possible. This period shall not exceed thirty (30) calendar days after public release for any critical production server.     

   4. All medium/high criticality patches or patches for non-critical systems must be applied within sixty (60) calendar days.     

   5. Any low criticality patches will be installed on a case-by-case basis.  All patches should be tested on development systems before being rolled out to production, where possible. 
   6. In cases where patching cannot follow the standard as outlined above, an exception request form (see below) must be completed and submitted to the Information Security Office (ISO) for review and analysis of risk.  Additionally, a risk acceptance form may be required upon review of the exception request form.  All deferred patches will be reviewed quarterly.
   7. All patches for vendor-maintained systems/applications that are labeled as high/critical must also be patched within thirty (30) days of the approved release from the vendor. The operating unit is responsible for maintaining knowledge of these patches and ensuring that vendors comply with this standard. 

   8. Units are responsible for performing routine vulnerability scans, and reports should be retained for at least ninety (90) days.   

2. Endpoints
   1. All endpoints are to have critical operating system and application patches installed within thirty (30) days of release from the vendor.

   2. Software vendors release security patches on a regular schedule.  For centrally managed devices, applicable patches will be tested and validated by OIT prior to deployment to campus.  Once validated, OIT will schedule and deploy validated patches to endpoints on a monthly basis.  OIT will communicate with the campus community regarding deployed security patches.     

3. Procedures
   1. Installation and validation
      1. A system reboot is required to successfully install most security patches.  Until the reboot occurs, the computer will remain vulnerable to attacks which the installed patch protects against. OIT recognizes that flexibility may be needed around a system reboot to provide the university community with the option to reboot with minimal impact to productivity and operations. As such, security updates will be deployed using an "optional-mandatory" method.
         1. The optional-mandatory method allows users to install scheduled updates at their convenience within a pre-determined timeframe. If the updates are not installed within this period, they will automatically install and may require a system reboot. To ensure that end points are protected and work is not disrupted, it is strongly recommended that users install the updates as soon as possible. When updates are available, notifications will appear and will continue to appear until the updates are installed. Additionally, the frequency of notifications will increase as the end of the optional-mandatory period approaches.
   2. Out of band updates
      1. On occasion, a software vendor will release a critical security patch outside of their normal release cycle.  The usual reason for the release of an out-of-band patch is the appearance of an unexpected, widespread, destructive exploit that will likely affect a large number of users.  In the event of a published out of band patch, OIT will expedite the validation process.  Once validated, users will have one (1) business day to install and reboot their machine to apply the patch.  If the deadline passes, updates will automatically install and may enforce reboots of your computer as the updates require.  OIT will communicate with the campus community in the event of an out-of-band update deployment.
   3. Mandatory reboot exemption
      1. If the five (5) business day window for patch application could have a negative impact on academic or operating unit processes, an exemption may be granted.  Users who feel this is the case may contact the OIT Service Desk and request to be temporarily exempted from the mandatory reboot process.  If an exemption is granted, endpoints will still have patches deployed regularly, but it will be the end user's responsibility to reboot the machine to apply the necessary security patches. Each exemption request will be reviewed on a case-by-case basis and will have a limited duration for the granted exemption.   

Definitions

References

Exceptions

Request an exception:

Complete Exception request form.

Reviewers

History