You are here

Information Security Patch Management Procedure

Review Date/Issuing Authority

Review Date:  April 26, 2012
Issuing Authority:  Chief Information Security Officer

Purpose

To ensure that a process exists for testing and distributing patches on a timely and consistent basis.

Scope

This applies to all Computer Services personnel with management and administrative responsibilities for University servers.  

Policy

Technology Usage Policy
Policy # 04.71.11
http://policies.temple.edu/getdoc.asp?policy_no=04.71.11

A. Purpose of Policy

The purpose of this policy is to establish appropriate security requirements and restrictions on accessing and using University computers, computer systems and networks and safeguarding University information.

B. Scope of Policy

This policy covers all University owned and maintained computers, computer systems, computer networks and electronic communications facilities, the users of all such systems and networks, all computers connected to the Temple network, and to all University computing facilities, data centers and processing centers.

This policy represents the minimum security requirements that must be followed and establishes the Vice President for Computer and Information Services as the Temple University officer responsible for the establishment of and carrying out computer and network security policy.

Security Protections

a) Security patches shall be applied within 30 days of vendor release unless otherwise approved by the Chief Information Security Officer.

b) All computer equipment assigned IP addresses by Computer Services shall be protected by the University approved antivirus protector updated on a regular basis (generally within seven days).

Procedures

  1. Patches MUST be tested before implemented in production environment.
    a) Application owners delegate test servers that accurately reflect our production environments.
    b) Application owners should be made aware our testing requirements.
    c) Make sure that VM’s are also represented.
  2. After testing application owners must verify that patches were successful and any issues have been resolved.
  3. Production patches will be distributed in accordance with the schedule published on the computer services website.
  4. System owners that prefer to manage patches on their system will be required to submit a plan for testing and distributing patches in accordance with policy.