|
Responsible Office: Office of Cybersecurity |
Last Review: 03/01/2025 Next Review: 03/01/2027 |
|
Contact: Chris Madeksho | Phone: 901.448.1579 Email: mmadeksh@uthsc.edu |
Purpose
To provide an ongoing and consistent system and application update program that supports regular security updates and patches to operating systems, firmware, productivity applications, and utilities. Updates are critical to maintaining a secure operational environment.
This standard is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).
Scope
This Standard applies to all UTHSC IT Resources, including, but not limited to, operating systems, applications, endpoints, and servers connected to the UTHSC network.
Definitions
Endpoint – A device that exists at the end of a network connection, i.e., a desktop, laptop, mobile phone or Internet of Things (IoT) device.
UTHSC Information Technology (IT) Resource – a broad term for all things related to information technology from a holistic point of view and covers all University-owned or managed information technology services, including cloud-based services, that users have access to.
ITS – the Information Technology Services department of UTHSC
System owner – Person or organization that has responsibility for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an information system
Patch – A piece of software designed to fix problems with, or update a computer program, or its supporting data. Patches include, but not limited to, updating software, fixing a software bug, installing new drivers, addressing new security vulnerabilities, and addressing software stability issues.
Responsibilities
Office of Cybersecurity is responsible for conducting scans of IT Resources to identify vulnerabilities.
ITS Infrastructure Division is responsible for deploying endpoint patches and updates to operating systems, networking components, and certain applications.
System Owner, the person ultimately responsible for the system, is responsible for managing and remediation of the identified vulnerability, with the assistance of ITS or the data custodian.
System Custodian is responsible for applying required and suggested security controls based on the classification designated in IT0311-HSC-D-Data Security.
End User (UTHSC Campus Community) who has the custody and responsibility of a UTHSC endpoint and is responsible for having the device available to receive updates.
Standard
- Automatic security patching is required where applicable.
- System owners and administrators must monitor all applicable vendor informational sites on a regular basis to stay aware of when operating system and application patches are made available.
- Risk assessments must be performed for patches or changes deemed to be significant to address potential negative impact to confidentiality, integrity, or availability of the UTHSC IT Resource in accordance with IT0004-HSC-A.01-Risk Assessment Process and change management processes.
- New devices must be patched to a supported version. No device should be on the UTHSC network whose operating system or applications are past end of life (EoL).
- Patches should be tested in an appropriate dev/test environment, when available, to understand the impact of deploying the patch in the production environment. This is required for patches that, in the event of a failure or unexpected issue, could result in a significant impact on the University.
- Prior to production deployment, a back-out plan must be in place to roll back changes in the event the patch causes issues with the production environment.
- System components and devices attached to the UTHSC network must be regularly maintained by applying security patches in a timely manner. The scheduling of these patches is based on the severity level of the vulnerability as follows:
- A system reboot is required to install most security patches successfully. These reboots should be automated whenever possible. Patches are not considered applied until the reboot happens, if applicable.
- If a different schedule is needed for updating a specific device or group of devices, ITS will work with the system owner to set up a beneficial schedule. There must be some set schedule for the device to remain on the UTHSC network.
- Other exceptions to this schedule will occur as needed. i.e. emergency patching
- Exceptions to this Practice should be requested using the process outlined in IT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards Practices & Controls. Exceptions must enumerate mitigating controls that will be put in place to reduce the risk to the system and data until the patch can be applied.
Policy History
| Version # | Effective Date |
| 1 | 10/07/2020 |
| 2 | 09/28/2021 |
| 3 | 05/17/2022 |
| 4 | 03/01/2025 – new naming convention |
References
- IT7810-Information Technology Vulnerability Management, Audit Log Management, and Malware Defense Policy
- IT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards Practices & Controls
- IT0004-HSC-A.01-Risk Assessment Process
- IT0311-HSC-D-Data Security
- NIST Glossary of Terms
Downloadable PDF
