Management Standard Purpose

A compromised computer threatens the integrity of the network and all computers connected to it (“OHIO Systems”). Patch and vulnerability management is a security measure designed to proactively prevent the exploitation of IT vulnerabilities that exist within OHIO Systems. By taking a proactive approach to managing vulnerabilities, the university is able to reduce or eliminate the potential for exploitation and prevent the excessive time, effort, and potential costs that often result when responding to an exploitation after it has occurred.

The purpose of this standard is to ensure that all university owned devices as well as devices that store, process, or transmit university data are proactively managed and patched with appropriate security updates. Standard

1. Enterprise Servers a. All university owned servers will be maintained with the latest security patches to their operating systems and applications. b. Each unit is responsible for OHIO Systems under their control. Units must ensure that their staff maintain knowledge of patch releases either through subscribing to the appropriate notification list or by direct notification from the vendor. When a patch is announced, an authorized system administrator must document the change including criticality rating according to the OIT change management policy. Criticality ratings are generally supplied by vendors, but in the case that no criticality is supplied, the system administrator must assign a criticality rating based on their experience, the classification of the data (per Policy 93.001 Data Classification) contained on the , and the level of risk to the institution in the event of compromise. c. All high/critical patches must be applied as soon as practically possible. This period shall not exceed thirty (30) calendar days after public release for any critical production server. d. All medium/high criticality patches or patches for non-critical systems must be applied within sixty (60) calendar days. e. Any low criticality patches will be installed on a case-by-case basis. All patches should be tested on development systems before being rolled out to production, where possible. f. In cases where patching cannot follow the standard as outlined above, an exception request form must be completed and submitted to the Information Security Office (ISO) for review and analysis of risk. Additionally, a risk acceptance form may be required upon review of the exception request form. All deferred patches will be reviewed quarterly. g. All patches for vendor-maintained systems/applications that are labeled as high/critical must also be patched within thirty (30) days of the approved release from the vendor. The operating unit is responsible for maintaining knowledge of these patches and ensuring that vendors comply with this standard. h. Units are responsible for performing routine vulnerability scans, and reports should be retained for at least ninety (90) days.

2. Endpoints a. All endpoints are to have critical and application patches installed within thirty (30) days of release from the vendor. b. Software vendors release security patches on a regular schedule. For centrally managed devices, applicable patches will be tested and validated by OIT prior to deployment to campus. Once validated OIT will schedule and deploy validated patches to end points on a monthly basis. OIT will communicate with the campus community regarding deployed security patches. 3. Procedures a. Installation and Validation i. A system reboot is required to successfully install most security patches. Until the reboot occurs, the computer will remain vulnerable to attacks which the installed patch protects against. OIT recognizes that flexibility may be needed around a system reboot to provide the university community with the option to reboot with minimal impact to productivity and operations. As such, security updates will be deployed using an "optional-mandatory" method. 1. The optional-mandatory method will allow users to install scheduled updates at their convenience within a pre-determined time-frame. Users will be provided five (5) business days to select the installation time of their choice for patching. Should the five (5) business days without the necessary reboot, updates will automatically install and may enforce reboots of the computer as the updates require. In order to ensure that end points are protected and work is not disrupted due to reboot, it is strongly recommended that users install the updates as soon as possible. When updates are available they will appear in the system tray and the message will continue to appear daily until the updates are installed. Additionally, the messages will increase in frequency as the end of the optional-mandatory period approaches. b. Out of Band Updates i. On occasion a software vendor will release a critical security patch outside of their normal release cycle. The usual reason for the release of an out of band patch is the appearance of an unexpected, widespread, destructive exploit that will likely affect a large number of users. In the event of a published out of band patch, OIT will expedite the validation process. Once validated, users will have one (1) business day to install and reboot their machine to apply the patch. In the event that the deadline passes, updates will automatically install and may enforce reboots of your computer as the updates require. OIT will communicate with the campus community in the event of an out of band update deployment. c. Mandatory Reboot Exemption i. In the event that the five (5) business day window for patch application could have a negative impact on academic or operating unit processes an exemption may be granted. Users that feel this is the case may contact the OIT Contact Center and request to be temporarily exempted from the mandatory reboot process. In the event that an exemption is granted, endpoints will still have patches deployed regularly, but it will be the end user's responsibility to reboot the machine in order to apply the necessary security patches. Each exemption request will be reviewed on a case by case basis and will have a limited duration for the granted exemption.

Definitions

Server: A computer system, which is used as the central repository of data and various programs that are shared by users in a network.

University-owned devices are defined as any device which was purchased by the University. These devices include but are not limited to, any laptop or workstation which was deployed to faculty or staff. This excludes any personal (BYOD) device which may be connected to the University computer network.

Endpoint: Any system or device that stores, processes, or transmits university data. References

Policy 91.003 Data Classification Policy 91.005 Information Security NIST 800 Series Publications Governance

This standard will be reviewed and approved by the university Information Security Office as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.