Everyone managing University IT systems is responsible for protecting and ensuring the security of the information transmitted and stored within them.
Keeping our systems regularly patched is a basic but vital action to prevent common malware attacks, which may result in the loss of confidentiality, integrity or availability of information.
This policy aims to reduce the risks relating to loss of information security, by ensuring that technical vulnerabilities are identified and reviewed quickly, risks are evaluated, and appropriate mitigations - typically patches - are applied within a reasonable timeframe.
Device owners are responsible for following this policy. A device owner is the individual specified in the LAN DB, or in their absence, their line manager.
Security updates for all systems must be installed, and systems rebooted (if needed) within the following timeframes:
In practice this means servers must be automatically patched monthly, with expedited patching for critical vulnerabilities especially where there is a publicly disclosed method of attack.
If a patch cannot be applied, a different approach to mitigating the risk must instead be developed and approved in writing by the IT Security team.
When a system is not patched in line with this policy, IT Services may take action to secure systems. This includes patching, rebooting, isolating or disconnecting systems from the campus network. Service owners will be notified after action has been taken.