Security Patching policy

This policy applies to systems administrators and computer support staff and is about keeping computer secure by applying up to date security patches and critical patches.

The numbers in brackets refer to the section in the full policy, which is available as a PDF

Applicability

  • Systems administrators and computer support staff (1.2)

Security Maintenance & Management

  • All computers attached to the University network must have up to date security patches and critical patches must be universally installed when they become available. (2.1)

Microsoft Operating System Machines

  • Patches can be applied using the centrally provided service, or through local arrangements, providing the same time frame as the centrally provided service is met. (2.2.1)
  • We will test patches on the second Wednesday each month and release them on the last Wednesday. Those applying patches under local arrangements are to adhere to this schedule. (2.2.2)
  • The community is to be notified by email of any problems discovered during testing. (2.2.2)
  • Patches will be released early where necessary and support staff will be notified. (2.2.3)
  • Systems must be monitored and patched when found to be out of date. (2.2.4)
  • Portable computers and those that are only occasionally attached to the network are to be patch maintained. (2.2.5)
  • Servers with Microsoft operating systems are to be patched within 2 working weeks of patches being released. (2.2.6)
  • Service packs are to be deployed through the centrally provided system or under local arrangements. (2.2.7)
  • Service packs are to be tested before release but may be released early when risk justified. (2.2.7)
  • Systems must be monitored for service pack currency compliance and brought up to date where necessary. (2.2.7)

Non-Microsoft Operating Systems

  • Those responsible for the maintenance of non-Microsoft systems are to keep themselves up to date with details of vulnerabilities, exploits and patches associated with their platforms. (2.3.1)
  • Security patches for vulnerabilities exploitable externally or without a user-id are to be classed as critical. (2.3.2)
  • Less important machines are to be tested first, but priority must be given to machines visible from off campus. (2.3.2)
  • Anyone experiencing problems with a patch should inform the community. (2.3.2)

Routers & Switches

  • We will monitor appropriate websites for details of vulnerabilities affecting routers and switches and securely maintain its network equipment. (2.3.3)
  • Computer support staff who operate their own network devices are responsible for their security maintenance. (2.3.4)

Network Blocking of Non-Updated Computers

  • Computers that are not kept full up to date with patches and service packs may be blocked from the network and will not be reconnected until they become current. (2.3.4)

Related downloads