Policy

Patch management policy

Updated on 23 January 2024

Outlines the University’s approach to the patch management of its infrastructure assets

On this page

Purpose

This policy outlines the University’s approach to the patch management of its infrastructure assets. It provides the guiding principles and responsibilities to ensure the University’s patch management objectives are met.

Scope

This policy applies to:

  • All systems and services which connect to the University network.

The policy will be communicated to users and relevant external parties by publication on the University website.

Objectives

The University’s objectives for this policy are to:

  • Protect the confidentiality, integrity, availability of information.
  • Safeguard the University’s information from security threats that could have an adverse effect on its operations or reputation.
  • Fulfil the University’s duty of care toward the information with which it has been entrusted
  • Enforce patch requirements to ensure that all patches or configuration changes are deployed to University infrastructure assets when a vulnerability is identified.

Policy

  • Patching of University-owned systems and services will be centrally managed by Digital and Technology Services (DTS).
  • Systems and services not centrally managed by DTS that are hosted on University-owned infrastructure shall be patched by the system owner or service manager.
  • Assessment and criticality scoring of vulnerabilities will be carried out by the DTS Cyber Security team.
  • University systems, devices, and applications must be updated within fourteen (14) days of any release of a patch that fixes Critical vulnerabilities. Based on the assessed severity and potential/actual impact, the Head of Cyber Security (or delegate) may mandate a shorter timeframe or approve an exception for any instance.
  • Patches to Medium and Low vulnerabilities must be installed within thirty (30) days of availability unless an exception has been approved by the Head of Cyber Security (or delegate).
  • Non-compliant systems may be prevented from accessing University infrastructure including network, storage or other services. This includes personal devices where an identified vulnerability exists.

Legal and regulatory obligations

The University has a responsibility to abide by and adhere to all current UK and EU legislation, as well as a variety of regulatory and contractual requirements. A statement of regulations with relevance to this policy can be found on IT Policies - relevant legislation web page.

Responsibilities

The following bodies and individuals have specific information security responsibilities:

  • The University Digital Committee has executive responsibility for information security within The University. Digital Committee has responsibility for overseeing the management of the information security risks to the University's information assets.
  • The Director, DTS is responsible for establishing and maintaining The University’s cyber security management framework to ensure the availability, integrity and confidentiality of The University’s information.
  • The University’s Digital and Technology Services (DTS) is accountable for the effective implementation of this policy and supporting information security rules and standards.
    • The DTS Cyber Security Team are responsible for the provision of appropriate vulnerability assessments.
    • The DTS Cyber Security Team are responsible for reporting on compliance with this policy.
  • DTS Heads of Service as service owners are responsible for the maintenance and patching of the Operating Systems and Application software under their remit.
  • Owners or managers of non-centrally managed systems are responsible for ensuring that these systems are not vulnerable to known security issues for which fixes are available.

Supporting policies, codes of practice, procedures, and guidelines

Supporting policies have been developed to strengthen and reinforce this policy statement. These, along with associated codes of practice, procedures, and guidelines are published together and are available for viewing on the University’s website.

All staff, users, and any third parties authorised to access the University’ network or computing facilities are required to familiarise themselves with these supporting documents and to adhere to them in the working environment.

Compliance and breach of policy

The University shall conduct cyber security compliance and assurance activities, facilitated by the University’s cyber security staff to ensure cyber security objectives and the requirements of the policy are met. Failure to follow the policy will be treated seriously by the University and may result in enforcement action. If you have any questions or concerns about this policy please discuss them with your line manager.

Review and development

This policy and its supporting documentation will be reviewed and updated at least annually. Further reviews and updates will take place when best practice or the legislative/regulatory environment changes to ensure that they:

  • Remain operationally fit for purpose
  • Reflect changes in technologies
  • Are aligned to industry best practice
  • Support continued regulatory, contractual, and legal compliance

Changes to this policy will follow Digital Committee procedure.

Further information 

Definitions

University

The University of Dundee is a Scottish Registered Charity, No. SC01509 with its registered office at Tower Building, Nethergate, Dundee DD1 4HN

Staff

Staff are salaried members of the University or contracted individually by the University to provide a service.

Student

A person pursuing any course of study in the University.

Visitors

A visitor is anyone not registered with the University as a member of staff or student, that requires access to University premises or services.

Information

The result of processing, manipulating, or organising data. Examples including but not limited to, text images, sounds, codes, computer programmes, software, and databases.

Data

Information in raw form.

Confidentiality

Property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Integrity

Property of accuracy and completeness.

Availability

Principle of being accessible and usable upon demand by an authorised entity.

Patch

A software update designed as an interim measure between version releases to change functionality, usually to fix a specific problem.

If you have any questions regarding this policy please contact the University’s Help4U service

Corporate information category IT