rnd_border

Patch Management Policy

 Purpose:

Security vulnerabilities are inherent in computing systems and applications. These flaws allow the development and propagation of malicious software which can disrupt normal business operations in addition to placing university data at risk. In order to effectively mitigate this risk, software "patches" are made available to remove a given security vulnerability. Given the large number of computer workstations and servers that comprise the Trinity University network, it is necessary to utilize a comprehensive patch management solution that can effectively distribute security patches automatically when they are made available. The patch management solution has the ability to evaluate individual computer workstations and servers for vulnerabilities. Patches may then be automatically installed and, when necessary, the affected machine rebooted. Effective security is a team effort involving the participation and support of every Trinity University employee and affiliate who is a user of the Trinity University computer network.

Scope:

This policy applies to employees, contractors, consultants, temporaries, and other workers at Trinity University including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by Trinity University such as all electronic devices, servers, application software, computers, peripherals, routers, and switches.

Policy:

Many computer operating systems such as Microsoft Windows, Linux, Mac OS and others include software application programs which may contain security flaws.

Occasionally, one of those flaws permits a hacker to compromise a computer. A compromised computer threatens the integrity of the network and all computers connected to it. Almost all operating systems and many software applications have periodic security patches released by the vendor that need to be applied. Patches which are security related or critical in nature should be installed.

  •  In the event that a critical or security patch cannot be centrally deployed by ITS, it must be installed in a timely manner using the best resources available. In the case of non Microsoft desktop operating systems where a centralized deployment is not available then installation should occur in a timely manner by a member of User Support Services or Network, Security, and System Services personnel or the end user.
  •  Failure to properly configure new workstations is a violation of this policy. Disabling, circumventing or tampering with patch management protections and/or software constitutes a violation of policy.

    • Definitions:

    The Microsoft Windows Server Update Services (WSUS): enables information technology administrators to deploy the latest Microsoft product updates to computers running Microsoft windows Server 2003, Microsoft Windows® XP with Service Pack 1, and Windows 2000 with Service Pack 4 operating systems. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network. The WSUS server provides the features that administrators need to manage and distribute updates through the WSUS Administration Console, which can be installed and accessed on any Windows computer in the Trinity domain. It works by controlling the Automatic Updates applet already present on all Windows machines. Instead of many machines at Trinity all going to Microsoft's website to download updates, the WSUS server downloads all updates to an ITS owned server and workstations on the Trinity domain look for updates.

    Push Technology is used in client/server applications, to send data to a client without the client requesting it.


     
    rnd_border