Patch management policy

Purpose

This policy outlines the University’s approach to the patch management of its infrastructure assets. It provides the guiding principles and responsibilities to ensure the University’s patch management objectives are met.

Scope

This policy is applicable across the University and applies to:

• all individuals who have access to University information and technologies
• all facilities, technology and services that are used to process University information
• all information processed, accessed, manipulated, or stored (in any format) by the University pursuant to its operational activities
• internal and external processes used to process University information
• external parties that provide information processing services to the University

The policy will be communicated to users and relevant external parties.

Objectives

The University’s objectives for this policy are to:

• safeguard the University’s information from security threats that could have an adverse effect on its operations or reputation
• fulfil the University’s duty of care toward the information with which it has been entrusted
• protect the confidentiality, integrity, availability, and value of information through the optimal use of controls

Policy

• Patching of University-owned systems will be centrally managed.
• Assessment of the criticality of vulnerabilities will be carried out by the Security and Risk Management Officer in conjunction with Product Engineers in UoD IT
• University systems, devices, and applications must be updated within seven days of any release of a patch that fixes High vulnerabilities. Based on the assessed severity and potential/actual impact, the Assistant Director of IT for Security, Infrastructure, and Research Computing may mandate a shorter timeframe for any particular instance.
• Patches to Medium and Low vulnerabilities must be installed within fourteen (14) days of availability.
• Unpatched user and/or BYOD devices (laptops, smartphones, tablets etc.) may be blocked from accessing the University network or systems.
• Non-compliant systems may be quarantined or otherwise switched off.
• The University has no mandate to require that personally-owned devices are kept up-to-date. Unpatched personally-owned devices may, however, be blocked from accessing the University’s network if they pose an identifiable risk.
• Patching will normally occur during the published IT at-risk windows which are Tuesday each week 7am until 9am and Thursday 7am until 9am, Where the IT at-risk windows are insufficient, communication of alternate times and durations will be provided through official University channels. Patching will normally be carried out by the Data Centre Operations team members.

Legal and regulatory obligations

The University has a responsibility to abide by and adhere to all current UK and EU legislation, as well as a variety of regulatory and contractual requirements.

A non-exhaustive summary of the legislation and regulatory obligations that contribute to the form and content of this policy is provided in IT policies - relevant legislation.

Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarised below.

Responsibilities

The following University bodies and individuals have specific information security responsibilities. The:

• Information Technology department(IT) is accountable for the effective implementation of this policy, and supporting information security rules and standards, within the University.
• Data, Records, and Information Committee (DRIC) has executive responsibility for information security within the University. DRIC has responsibility for overseeing the management of the information security risks to the University's students and staff, its infrastructure, and its information.
• Assistant Director of IT (Infrastructure, Security, and Research Computing) is responsible for establishing and maintaining the University’s cyber security management framework to ensure the availability, integrity, and confidentiality of the University’s information. The Assistant Director will lead on the definition and implementation of the University’s cyber security arrangements, and make judgement calls when situations arise that are not covered by the current cyber security management framework.
• Users are responsible for making informed decisions to protect the information that they process. Users will familiarise themselves with the relevant policies governing the information and systems they access.

Supporting policies, codes of practice, procedures, and guidelines

Supporting policies have been developed to strengthen and reinforce this policy statement. These, along with associated codes of practice, procedures, and guidelines are published together and are available for viewing on the University’s website.

All staff, users, and any third parties authorised to access the University’ network or computing facilities are required to familiarise themselves with these supporting documents and to adhere to them in the working environment.

Compliance and breach of policy

The University will conduct cyber security compliance and assurance activities, facilitated by the University’s cyber security staff, to ensure cyber security objectives and the requirements of the policy are met. Wilful failure to comply with the policy will be treated seriously by the University and may result in enforcement action whereby a group and/or an individual is held personally responsible. Any questions or concerns about this policy should be discussed with Line Managers.

Review and development

This policy and its supporting documentation will be reviewed and updated at least annually. Further reviews and updates will take place when best practice or the legislative/regulatory environment changes to ensure that they:

• Remain operationally fit for purpose
• Reflect changes in technologies
• Are aligned to industry best practice
• Support continued regulatory, contractual, and legal compliance

Changes to this policy will be presented to DRIC for review prior to publication.

Further information 

Definitions

University

The University of Dundee is a Scottish Registered Charity, No. SC01509 with its registered office at Tower Building, Nethergate, Dundee DD1 4HN

Staff

Staff are salaried members of the University or contracted individually by the University to provide a service.

Student

A person pursuing any course of study in the University.

Visitors

A visitor is anyone, not a member of staff or student, requiring access to University premises or services.

Information

The result of processing, manipulating, or organising data. Examples including but not limited to, text images, sounds, codes, computer programmes, software and databases.

Data

Information in raw form.

Confidentiality

Property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Integrity

Property of accuracy and completeness.

Availability

Property of being accessible and usable upon demand by an authorized entity.

Relevant legislation

A non-exhaustive summary of the legislation and regulatory obligations that contribute to the form and content of this policy is provided in IT policies - relevant legislation

If you have any questions regarding this policy please contact the University’s Help4U service