SEC-POL-001 Device Patching Policy

 

Introduction

Plymouth University has a multitude of servers, laptop and desktop computers that are all at risk from malicious attacks each month;  the operating systems that provide the foundation for other software to run on is patched by the manufacturer at least on a monthly basis.  It is imperative that these patches are installed within the specified timescales in this policy.  This is a regulatory requirement for certain services that we provide.

Technology and Information Services currently support a large computing estate, a single unpatched machine (desktop, laptop or network switch for example) that is connected to our network provides a weakness that could be exploited to enter our domain.

Definitions:

Device

a system, irrespective of operating system that is used for communicating, storing, accessing or manipulating university data, including servers, laptops and desktop computers.

Infrastructure device

a system that depends on code to provide a service, including network switches, wireless access points etc.

Development system

a system that is specifically used to develop new or adjusted features of a service that does not directly affect live service.

Test system

a replica of the live system, aimed at testing code changes before release into the production environment.

Live system

a system that enacts change in a business as usual capacity.

Critical patch

to fix a vulnerability whose exploitation could allow code execution without user interaction.  These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts.

Important patch

to fix a vulnerability whose exploitation could result in the compromise of the confidentiality, integrity, or availability of corporate or user data, or of the integrity or availability of processing resources.

Moderate patch

impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations.

Low patch

impact of the vulnerability is comprehensively mitigated by the characteristics of the affected component.

Out of band patch

a vulnerability that must be patched at the earliest available opportunity.  These scenarios include zero-day exploits which take advantage of the security hole on the same day the vulnerability becomes generally known.

Policy

Plymouth University will critically patch all of its supported operating systems within fifteen (calendar) days of release from the manufacturer, dependent on any change freeze being in place.  Patches that are important will be applied within sixty (calendar) days of release.  Plymouth University will also patch its core infrastructure devices, that could be affected by code based vulnerabilities, within sixty (calendar) days of release from the manufacturer.  Finally, should out of bound patches be released, they will be deployed within two working days of release.

Policy Exception

All financial systems that are used within Plymouth University should be patched within thirty (calendar) days of release from the manufacturer.  This is to comply with the Payment Card Industry Data Security Standards requirement 6.1.  If a supplier provides specific patches to mitigate identified operating system vulnerabilities, once issued these patches should be applied to the appropriate systems within thirty (calendar) days of release.

Policy Exclusions

Should a manufacturer issue a patch or update that solely alleviates a vulnerability in the application, not operating system, being run on a device this is not covered by this policy.

Patch Delivery

The university employs software that will deliver security patches to devices and can enforce their installation.  All patch installation on development or test systems should be performed automatically, these should then be tested prior to installation on the live systems.  Live systems should be patched automatically, unless there is a specific business reason for manually installing the patches.

Out of bound patches will be delivered as soon as installation and testing have been carried out on a number of representative development or test systems.

It is a violation of this policy for anyone to attempt to disable, remove or otherwise tamper with the software delivery mechanism on a device.  Failure to comply with this policy may result in disconnection from the network for the device and disciplinary action for the user.

Despite the annual review date, should any operating system change, this policy document should be updated to reflect the provision of service.

 

Author: Paul Ferrier Date: 08/01/2015 Version: 1.1
Document Security Level: PUBLIC
Document Approvals: Technical Architecture Group

Enterprise Architecture Practice

Enterprise Architecture Board

IT Director

January 2014

January 2014

22/09/2014

07/11/2014

Review Date: October 2015