Security Patch Application Standard

Return to: U of M Home

	myU \| One Stop \| Directories \| Search U of M

1-HELP

System Status

STANDARDS & GUIDELINES

STANDARD—Security Patch Application (Appendix H)

Responsible Office: Office of Information Technology
Responsible Officer: Chief Information Officer

EFFECTIVE DATE: January 2004
VIEW HISTORY
RELATED POLICY/PROCEDURE:
Acceptable Use of Information Technology Resources

STANDARD
A standard is a level of quality that requires conformity.

Introduction

The Chief Information Officer is designated by the "University Acceptable Use of Information Technology Resources Policy" as the institutional officer responsible to identify standards for access and acceptable use of information technology resources. This standard identifies the need to apply vendor-issued critical security updates and patches regularly to protect University data and systems. It applies to all electronic devices connected to the University network including computers, network switches and routers, personal digital assistant devices, laptop computers, etc.

Almost all operating systems and many software programs have periodic security patches released by the vendor that need to be applied. If critical patches and updates are not applied on a regular basis, computers on the University network risk being vulnerable to various worms, viruses, Trojans, and direct hacker attacks. The result can be loss of data, denial of service for other users, or attacks directed at other Internet users from the compromised machine. To protect against these risks, the Chief Information Officer has approved this standard.

Application of Critical Security Patches

Computers and other electronic devices attached to the University network must be regularly maintained including the application of critical security patches within 60 days after release by the vendor. Computers and other electronic devices with non-public or sensitive data must have critical patches applied more frequently. Other patches not designated as critical by the vendor must be applied on a normal maintenance schedule, which may depart from the above.
Many vendors have automated the patching procedure, particularly for desktop computers. While there is some potential for error by the vendor, the risks are substantially less than if patches are never applied at all due to oversight.
Patches on production systems (e.g. servers) may require complex testing and installation procedures. In certain cases, risk mitigation other than patches is preferable. The risk mitigation alternative selected should be in proportion to the risk. The reason for any departure from the above standard and alternative protection measures taken must be documented in writing for devices storing non-public data.
The regular application of critical security patches is reviewed as part of the normal University audit procedures. Collegiate and departmental technology support staff as well as OIT can be contacted for additional questions (contact OIT by dialing 1-HELP, 612-301-4357).

Resources and Links

OIT information: http://www.umn.edu/oit/security/
OIT 1-HELP Helpline: http://1help.umn.edu
Policy links: http://www.umn.edu /oit/policies/index.html

© 2007 - 2008 Regents of the University of Minnesota. All rights reserved.	Contact U of M \| Privacy
The University of Minnesota is an equal opportunity educator and employer.	Last modified on 10/11/07 3:13 PM