IT Security Standard: Computing Devices - Patching


All Devices

  • Devices that do not have operating system and/or application patches applied as described in this section may be removed from the campus network.
  • Operating system and application patching is performed based on the documented method and schedule for the device.
  • Patches must be applied at least every 30 days unless an exception has been approved by the management authority that includes an appropriate risk analysis and compensating controls. 
  • Security vulnerabilities that can be eliminated by patching the operating system or application must be assessed for risk in a timely way and applied outside of normal maintenance patches unless other compensating controls are in place and approved by the management authority for the device.

High Risk Enterprise Computing Devices

  • Patches must be applied and tested on a test device prior to installation on the device supporting production services.

All Devices

  • Use of a centralized patching process.
  • Patching activities are automated unless specific coordination is required.
  • Configuration and patch reporting should include the following:
  • Compliance (e.g. success/failure of operating system and primary application patches)
  • Standards (e.g. variance from supported operating system and application versions)
  • Differences (e.g. changes/trends  in the managed computer from the previous report or baseline security standard)

Continue to Logging | Return to Table of Contents

Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000


Did you know?

Stay Safe Online Tips