Patch Management Plicy (Versin 1) Dcument Cntrl Infrmatin: Date: 21/5/18 Master Tracking Name Patch Management Plicy Master Tracking Reference Owning Service / Department Exeter IT Issue: 1 Apprvals: Authrs: Apprved By: Authrised By: P. Jnes, T. Dyhuse and Ali Mitchell Exeter IT Senir Management Team Chief Infrmatin & Digital Officer Patch Management Plicy v1 1
Dcument Cntrl Authr Versin Date Issued Changes Apprval P. Jnes 0.1 04/09/17 Creatin f dcument T. Dyhuse 0.2 27/09/17 QA f V0.1 additin f CAB measures. P Jnes 0.3 Octber 2017 Updates frm CGR and split int tw dcuments. Ali Mitchell 1.0 May 2018 Frmat and added in Third Party Suppliers Published Next review due: July 2018 Patch Management Plicy v1 2
Cntents 1 Intrductin.4 2 Purpse.4 3 Definitins 4 4 Scpe.4 5 Plicy.5 6 Rles and respnsibilities 6 7 Mnitring and reprting..6 8 Plicy review and maintenance..6 9 Advice 6 Patch Management Plicy v1 3
1. Intrductin The University f Exeter has a respnsibility t uphld the cnfidentiality, integrity and availability f the data held n its IT systems n and ff site which includes systems and services supplied by third parties. The university has an bligatin t prvide apprpriate and adequate prtectin f all IT estate whether it is IT systems n premise, in the Clud r systems and services supplied by third parties. Effective implementatin f this plicy reduces the likelihd f cmprmise which may cme frm a malicius threat actr r threat surce. 2. Purpse This dcument describes the requirements fr maintaining up-t-date perating system security patches and sftware versin levels n all the University f Exeter wned estate and services supplied by third parties. 3. Definitins The term IT systems includes: Wrkstatins Servers (physical and virtual) Firmware Netwrks (including hardwired, Wi-Fi, switches, ruters etc.) Hardware Sftware (databases, platfrms etc.) Applicatins (including mbile apps) Clud Services 4. Scpe This plicy applies t: Wrkstatins, servers, netwrks, hardware devices, sftware and applicatins wned by the University f Exeter and managed by Exeter IT. This includes third parties supprting University f Exeter IT systems. Systems that cntain cmpany r custmer data wned r managed by Exeter IT regardless f lcatin. Again, this includes third party suppliers. CCTV systems where recrdings are backed up t the University s netwrks. Pint f payment terminals using University f Exeter s netwrks. Third party suppliers f IT systems as defined in Sectin 3. Patch Management Plicy v1 4
5. Plicy University cntrls: All IT systems (as defined in sectin 3), either wned by the University f Exeter r thse in the prcess f being develped and supprted by third parties, must be manufacturer supprted and have up-t-date and security patched perating systems and applicatin sftware. Security patches must be installed t prtect the assets frm knwn vulnerabilities. Any patches categrised as Critical r High risk by the vendr must be installed within 14 days f release frm the perating system r applicatin vendr unless prevented by University IT Change Cntrl (CAB Change Advisry Bard) prcedures. Where CAB prcedures prevent the installatin f Critical r High risk security patches within 14 days a temprary means f mitigatin will be applied t reduce the risk. Wrkstatins All desktps and laptps that are managed by Exeter IT must meet the Laptp and Wrkstatin Build Plicy minimum requirements in build and setup. Any exceptins shall be dcumented and reprted t Exeter IT Head f IT Security and Cmpliance. Servers Servers must cmply with the recmmended minimum requirements that are specified by Exeter IT which includes the default perating system level, service packs, htfixes and patching levels. Any exceptins shall be dcumented and reprted t Exeter IT Head f Security and Cmpliance. Third Party Suppliers: Security patches must be up-t-date fr IT systems which are being designed and delivered by third party suppliers prir t ging peratinal. Third party suppliers much be prepared t prvide evidence f up-t-date patching befre IT systems are accepted int service and thus becme peratinal. Once the IT systems are peratinal the fllwing patching timescales apply: Critical r High Risk vulnerabilities 14 calendar days Medium 21 calendar days Lw 28 calendar days Patch Management Plicy v1 5
6. Rles and Respnsibilities Exeter IT. Will manage the patching needs fr the Windws, Apple Mac OS and Linux estate that is cnnected t the University f Exeter dmain. Respnsible fr rutinely assessing cmpliance with the patching plicy and will prvide guidance t all the stakehlder grups in relatin t issues f security and patch management. Change Advisry Bard. End User. Respnsible fr apprving the mnthly and emergency patch management deplyment requests. The end user has a respnsibility t ensure that patches are installed and the machine is rebted when required. Any prblems must be reprted t Exeter IT. Third Party Suppliers Will ensure security patches must be up-t-date fr IT systems which are being designed and delivered by third party suppliers prir t ging peratinal. Once the IT systems are peratinal third party suppliers must ensure vulnerability patching is carried ut as stipulated in Sectin 5 Plicy. Where this is nt pssible, this must be escalated t the Head f IT Security and Cmpliance. 7. Mnitring and Reprting Thse with patching rles as detailed in sectin 6 abve are required t cmpile and maintain reprting metrics that summarise the utcme f each patching cycle. These reprts shall be used t evaluate the current patching levels f all systems and t assess the current level f risk. These reprts shall be made available t Cyber Security Team and Internal Audit upn request. 8. Plicy Review and Maintenance The Plicy will be reviewed and updated, annually, r as needed, t ensure that the plicy remains aligned with changes t relevant laws, cntractually bligatins and best practice. 9. Fr advice Please cntact either the Head f IT Security and Cmpliance r the IT Operatins and Security Manager. Queries can be emailed t infrmatin-security@exeter.ac.uk Patch Management Plicy v1 6