Required
All Devices
-
Devices that do not have operating system and/or application patches applied as described in this section may be removed from the campus network.
-
Operating system and application patching is performed based on the documented method and schedule for the device.
-
Patches must be applied at least every 30 days unless an exception has been approved by the management authority that includes an appropriate risk analysis and compensating controls.
-
Security vulnerabilities that can be eliminated by patching the operating system or application must be assessed for risk in a timely way and applied outside of normal maintenance patches unless other compensating controls are in place and approved by the management authority for the device.
High Risk Enterprise Computing Devices
-
Patches must be applied and tested on a test device prior to installation on the device supporting production services.
Recommended
All Devices
-
Use of a centralized patching process.
-
Patching activities are automated unless specific coordination is required.
-
Configuration and patch reporting should include the following:
-
Compliance (e.g. success/failure of operating system and primary application patches)
-
Standards (e.g. variance from supported operating system and application versions)
-
Differences (e.g. changes/trends in the managed computer from the previous report or baseline security standard)
Continue to Logging | Return to Table of Contents
