University of Kansas Medical Center Operational Protocol: Security Patch Management

Principles Statement

The University of Kansas Medical Center recognizes that the regular application of vendor-supplied security patches is a critical component in protecting the University network, systems and data from damage or loss due to threats such as worms, viruses and directed attacks.

Purpose

The purpose of this policy is to define the requirements for notification, testing and installation of security-related patches. While important to the correct functionality of a software application or system, those patches that are not security-related are not covered by this policy.

Individuals and Groups Covered By This Policy

Applies to all electronic devices connected to the University network including but not limited to computer workstations and servers, network switches and routers, specialized medical devices, etc.

Exemptions

This policy applies to everyone at all campuses and sites of the University of Kansas Medical Center. There are no exemptions.

Procedures

I. Responsibilities

• System and application administrators are responsible for assessment and application of security patches that impact systems under their management and supervision.
• Information Security will monitor vendor and third-party sources for updated vulnerability information daily and distribute pertinent patch information to the appropriate application and system owners in each business unit.

II. Requirements for Patch Application

• All devices connected to the University network must apply required patches within a timeframe based on the severity of the vulnerability as determined by Information Security.
  
  Critical: includes remotely exploitable vulnerabilities or represents a broad threat to the entire campus community for which patches must be applied within 24 hours.
  Urgent: includes local exploits and must be patched within 10 business days.
   
• In a situation where a patch cannot be installed due to incompatibility with a system or other software application, the application or system owner must request an exception within the same timeframe.

III. Additional Recommendations for Patch Application

• System administrators should install patches on a non-production system, if available, to verify that the security patch will not adversely impact system functionality.
• If a non-production testing system is not available, system administrators must take appropriate measures to verify the patch's correct functionality after being installed into production.
• When available, it is recommended that system administrators utilize tools such as Windows Security Update Services or ZenWorks to automate the consistent installation of security patches. System and application owners are encouraged to contact Information Security to utilize available patch automation services.

IV. Exceptions

Requests for exceptions to this Policy may be granted for security patches that compromise the usability of an application or computer system and where other security measures (e.g., network filtering, firewall, etc.) are in place to mitigate risk. Any requests must be submitted in writing to the Director of Information Security for approval. The KUMC Information Security Exception Form is available for this purpose.

Exceptions will be permitted only on receipt of written approval from Information Security. Information Security will retain documentation of currently permitted exceptions and will review them on an annual basis.