Accessibility statement

Patching policy

Everyone managing University IT systems is responsible for protecting and ensuring the security of the information transmitted and stored within them.

Keeping our systems regularly patched is a basic but vital action to prevent common malware attacks, which may result in the loss of confidentiality, integrity or availability of information.

This policy aims to reduce the risks relating to loss of information security, by ensuring that technical vulnerabilities are identified and reviewed quickly, risks are evaluated, and appropriate mitigations - typically patches - are applied within a reasonable timeframe.

Policy statements

Device owners are responsible for following this policy. A device owner is the individual specified in the LAN DB, or in their absence, their line manager.

Security updates for all systems must be installed, and systems rebooted (if needed) within the following timeframes:

  • All security patches must be applied within 30 days of release.
  • Critical vulnerabilities must be patched within 14 days of patch release.
  • These timescales may be reduced if required by the IT Security team.

In practice this means servers must be automatically patched monthly, with expedited patching for critical vulnerabilities especially where there is a publicly disclosed method of attack.

If a patch cannot be applied, a different approach to mitigating the risk must instead be developed and approved in writing by the IT Security team.

When a system is not patched in line with this policy, IT Services may take action to secure systems. This includes patching, rebooting, isolating or disconnecting systems from the campus network. Service owners will be notified after action has been taken.

Clarifications

  • The CVSS v3 severity scale is used to determine if a patch is critical. These scores are typically provided by vendors in the documentation relating to the patch.
  • Mitigations may include using firewall rules to restrict traffic to affected services, disabling affected services, or disconnecting the server from the network. IT Services can offer assistance with this.
  • Servers must use a supported operating system, ie the OS is maintained, and receives regular security updates. This is explained in the Guidance for policy for safe use of University information on all devices under "User Commitment 2.5".
  • Feature updates or other updates that do not provide security fixes are not covered by this policy, however it is good practice to review and update regularly, since routine updates may include undocumented security fixes.
  • Patch status and/or vulnerability scanner reports will be reviewed by the IT Services Security Group.