SUNY Oneonta will review, evaluate, and appropriately apply software patches in a timely manner. If patches cannot be applied in a timely manner due to hardware or software constraints, mitigating controls will be implemented based upon the results of a risk assessment.
SUNY Oneonta will adhere to National Institute of Standards and Technology (NIST) guidance as set forth in Special Publication 800‐40, Creating a Patch and Vulnerability Management Program, and any revised or updated successors.
In order to ensure the security of our network and protect the College’s data, all computers and network devices must be maintained at vendor supported levels and critical security patches must be applied in a timely manner consistent with an assessment of risk. This is a requirement of Oneonta’s Information Technology Security Program, SUNY policy (Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality), and industry best practice guidelines.
Applicability of the Policy:
This policy covers all servers, workstations, network devices, operating systems (OS), applications, and other information assets for which vendors provide system patches or security updates.
Network Devices ‐ Any physical component that forms part of the underlying connectivity infrastructure for a network, such as a router, switch, hub, bridge, gateway, etc
Network Infrastructure ‐ Includes servers, network devices, and any other back‐office equipment
Patch ‐ A fix to a known problem with an OS or software program. For the purposes of this document, the term “patch” will include software updates.
OS ‐ Operating System such as Windows, Mac, Linux
Risk Assessment – An evaluation of the level of exposure to a vulnerability for which a patch has been issued
Update – a new version of software providing enhanced functionality and/or bug fixes
Vendor ‐ Any organization or individual(s) that do business with the College
Pre‐patch Management: Patch Management and System Updates Policy
- System administrators will use automated tools, where available, to create a detailed list of all currently installed software on workstations, servers, and other networked devices. A manual audit will be conducted on any system or device for which an automated tool is not available.
- Systems and software will be evaluated to verify currency of patch and update levels and an analysis of vulnerabilities will be performed. Online resources such as the US Computer Emergency Response Team (https://www.us-cert.gov/) and the National Vulnerability Database (http://nvd.nist.gov) should be consulted in this process.
- Specific guidelines for applying patches and updates will be developed and made available to system administrators.
- Automated tools will scan for available patches and patch levels, which will be reviewed as specified in the Patch Application Guidelines.
- Manual scans and reviews will be conducted on systems for which automated tools are not available.
- An informal risk assessment will be performed within 2 business days of the receipt of notification of patches. If a determination regarding the applicability of the patch or mitigating controls cannot be made at that time a formal risk assessment will begin.
- Vendor-supplied patch documentation will be reviewed in order to assure compatibility with all system components prior to being applied.
- Where possible, patches will be successfully tested on non‐production systems installed with the majority of critical applications/services prior to being loaded on production systems.
- Successful backups of mission-critical systems will be verified prior to installation of patches and a mechanism for reverting to the patch levels in effect prior to patching will be identified.
- Patches will be applied during an authorized maintenance window in cases where the patch application will cause a service interruption for mission-critical systems.
- Patches will be prioritized and applied in accordance with College Patch Application Guidelines.
- Logs will be maintained for all system categories (servers, secure desktops, ASCI, switches, etc.) indicating which devices have been patched. System logs help record the status of systems and provide continuity among administrators. The log may be in paper or electronic form. Information to be recorded will include but is not limited to: date of action, administrator’s name, patches and patch numbers that were installed, problems encountered, and the system administrator’s remarks. Patch Management and System Updates Policy
- In the event that a system must be, reloaded, all relevant data on the current OS and patch level will be recorded. The system should be brought back to the patch levels in effect before reloading.
- In the event that a patch will not be applied due to incompatibility or risk assumption, precautions to mitigate the risk of exploitation to the College network will be implemented and documented in the log.
Roles & Responsibilities:
- Information Technology Staff are responsible for ensuring that information resources are maintained in compliance with SUNY Oneonta patch management policies and procedures.
- Administrators of systems not managed by IT Staff are responsible for ensuring that their systems are maintained in compliance with SUNY Oneonta patch management policies and procedures (e.g.: departmental servers, utility devices, etc.).
- The Information Technology Security Administrator is responsible for auditing information systems to ensure that they comply with SUNY Oneonta patch management policies and procedures.
Questions related to the daily operational interpretation of this policy should be directed to:
IT Security Administrator
Related Documents / Policies:
Approved by the President on 10/27/2009
Review Schedule: This policy should be reviewed and updated annually.