PATCH MANAGEMENT POLICY

1. PURPOSE: The purpose of this policy is to ensure that all University-owned devices are proactively managed
and patched with appropriate security updates. In addition, this policy is intended to instruct and inform the
University community about the change in end-point computing.

2. SCOPE: This policy applies to all Enterprise Servers which are owned by the University. It also applies to
University-issued Windows endpoints bound to Active Directory (AD).

3. POLICY: University of Portland is committed to ensuring a secure computing environment and recognizes the
need to prevent and manage IT vulnerabilities. A compromised computer threatens the integrity of the
network and all computers connected to it. Patch and vulnerability management is a security practice designed
to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. Proactively
managing vulnerabilities will reduce or eliminate the potential for exploitation and involve considerably less
time and effort than responding after exploitation has occurred. All servers under Information Services (IS)
control will be maintained with the latest security patches to their operating systems and key applications.

a. Each business unit is responsible for devices and systems under their control.
b. Business unit directors must ensure that their staff maintain knowledge of patch releases either through
subscribing to the appropriate mailing list or by direct notification from the vendor.
c. When a patch is announced, an authorized system administrator must enter a change ticket according to
the change management policy.
d. When the ticket is entered, a criticality rating of either high or normal must be assigned. Criticality ratings
are usually supplied by vendors, but in the case that no criticality is supplied, the system administrator
must assign a rating based on his/her experience.
e. All high/critical patches must be applied as soon as practically possible, but not longer than thirty (30)
calendar days after public release for any critical production server.
f. All patches that are medium/high severity or for non-critical systems must be rolled out within ninety (90)
calendar days.
g. Any low priority patches will be installed on a case-by-case basis. All patches should be tested on
development systems before being rolled out to production, where possible.
h. In the case where patches cannot follow the schedule, a document must be produced explaining why the
patch must be deferred. Permissible deferrals may include a lack of appropriate change windows within
the appropriate timeframe or a conflict with other critical changes scheduled at that time.
i. Any patches which are to be deferred longer than the scheduled timeframe must be approved by the Chief
Information Officer (CIO) or his/her assignee. All deferred patches must be reviewed at least quarterly.
j. All patches for vendor maintained systems/applications that are labeled as high/critical and apply to
security must also be patched within 90 days of the approved release from the vendor.
k. Any functional but non-critical patches may be installed on a case-by-case basis. IS is responsible for
maintaining knowledge of these patches and ensuring that vendors comply with our internal policy.
l. The Security Analyst is responsible for performing a vulnerability scan on the systems after each patch
window to show that the patches were installed correctly. Clean vulnerability scan reports should be
submitted to the Infrastructure Manager quarterly for review.
m. All University-owned Windows based endpoints are to have critical operating system and key application
patches installed within 30 days of release from the vendor.

4. GUIDANCE:

a. Scheduling and Deployment: Software vendors release security patches on a regular schedule. Applicable
patches will be tested and validated by IS prior to deployment to campus. Once validated, IS will schedule
 and deploy validated patches to end points monthly. Communication to campus regarding deployed
security patches will be done through Pilots announcements.

b. Installation and Validation: A system reboot is required to successfully install most security patches. Until
the reboot occurs, the computer remains vulnerable to attacks which the installed patch protects
against. IS understands the impact an ill-timed reboot can have on user productivity. In order to provide
the University community with as much flexibility as possible, security updates will be deployed using an
“optional-mandatory” method.

The optional-mandatory method will allow users to install scheduled update at their convenience before a
deadline occurs. Users will be provided five (5) business days to select the installation time of their
choosing for deployed patches. After the deadline passes, updates will automatically install and may
enforce reboots of the computer as the updates require. It is strongly recommended that users install the
updates as soon as possible to ensure that end points are protected and rebooting does not disrupt work.
When updates are available, a notification will appear in the system tray. The message will continue to
appear daily until the updates are installed and will appear more frequently as the deadline approaches

c. Out of Band Updates: On occasion a software vendor will release a highly critical security patch outside of
their normal release cycle. The usual reason for the release of an out-of-band patch is the appearance of
an unexpected, widespread, destructive exploit that will likely affect a large number of users. In the event
of a published out of band patch, Information Services (IS) will expedite the validation process. Once
validated, users will have two (2) business day to install and reboot their machine to apply the
patch. After the deadline passes, updates will automatically install and may enforce reboots of your
computer as the updates require. IS will communicate to the campus via Pilots announcements in the
event of an out of band update deployment.

d. Mandatory Reboot Exemption: There is the possibility of academic or administrative processes being
negatively impacted even with a five-day window for users to apply patches. Users who could be impacted
in this scenario may contact the University Helpdesk and request to be temporarily exempted from the
mandatory reboot process. The endpoints being exempted will still have patches deployed regularly, but it
will be the responsibility of the end user to reboot the machine to apply those security patches. Each
request will be reviewed on a case by case basis and will have a limited duration for exemption.

5. EXCEPTIONS: Exceptions must be approved by the CIO. There are no other exceptions for this policy.

6. SANCTIONS: Accounts and network access may be administratively suspended by the University with or
without notice when, in the University’s judgment, continued use of the University’s resources may interfere
with the work of others, place the University or others at risk, or violate University policy. Any violation of this
policy by a student may lead to disciplinary charges under the appropriate student disciplinary policy, which
may include expulsion or suspension of student status. Faculty and staff violations will be addressed by their
respective disciplinary policies and procedures. All known and/or suspected violations will be reported to the
Vice President for University Operations. Users of University of Portland computing facilities are subject not
only to University Policies, but also to applicable local, state and federal laws.