File code: TECH.PATCHING.POL
Approval Date: 4/29/2009
Approved By: President
All university owned or operated computer systems and devices are to be protected through the deployment and installation of software patches, service packs, hot fixes, etc. This applies to all services installed, even though some services may be temporarily or permanently disabled (if you don’t want to patch it uninstall it). Compliance with this policy must be actively tracked and documented by the support entity responsible for the administration or support of corresponding systems.
Critical security patches must be installed universally across applicable university computers, when they first become available. Non critical patches should be deployed as soon as possible but no later than six months (fall and summer breaks). WIU supports a centralized patching model and advocates that clients receive updates from official university sources managed by University Technology. Windows computers must be configured with auto-update enabled. This setting must be enforced via Active Directory Group Polices.
All security patches must be installed unless testing against critical systems results in system instability or reduction in needed functionality. Exceptions must be documented including a plan of action to eliminate the exception.
University areas responsible for the management of university owned or operated computers must have operational plans in place that includes regular (recommended quarterly but minimally semi-annually) checks to ensure the completeness and effectiveness of their patching processes. Additionally, semi-annual patching metrics and any exceptions must be presented to the CTSO.
Note: As a general rule, it is recommended that when possible you move to the latest version of an application as that will tend to be the most secure. This is especially true for software that is end-of-life as any future vulnerability will not be remediated by the vendor.