Patch Management Policy
The purpose of this policy is to ensure computer systems attached to the Indiana University network are updated accurately and timely with security protection mechanisms (patches) for known vulnerabilities and exploits. These mechanisms are intended to reduce or eliminate the vulnerabilities and exploits with limited impact to the business.
This policy applies to all employees and faculty of SOIC; as well as vendors, contractors, partners, students, collaborators and any others doing business or research with the SOIC will be subject to the provisions of this policy. Any other parties, who use, work on, or provide services involving SOIC computers, technology systems, and/or data will also be subject to the provisions of this policy.
SOIC computing resources have been developed to encourage widespread access and distribution of data and information for the purpose of accomplishing the educational and research missions of the school. This policy will not supersede any Indiana University developed policies but may introduce more stringent requirements than the university policy.
Operating System (OS) is the set of programs used to provide the basic functions of a computer.
A device is defined as any object used to store, process, and/or transfer data.
Confidentiality, Integrity, Availability (CIA) are the three basic tenets of information security.
A networked device is defined as any device that is either permanently or periodically attached to the Indiana University network.
Remediated is defined as all patches required by the vendor have been applied.
Mitigated is defined as steps have been taken to protect a device from a particular vulnerability, i.e. the device has been removed or otherwise isolated from the network, the NIC card has been removed, or an approved deviation from the required patch process has been approved by the SOIC Director of Technology Services and is on file.
All networked devices belonging to or managed by SOIC departments, practice plans, or other affiliated and partner organizations will be patched with vendor provided operating system security patches.
These patches will be applied as soon as possible following appropriate testing of the security patches by the SOIC technology staff or other affiliated and partner organizations.
New devices must be patched to the current patch level, as defined by the operating system vendor, PRIOR to the device being connected to the production network.
Current patch status for all SOIC or other affiliated and partner organizations must be communicated to the SOIC Director of Technology Services or designate. Devices that cannot be patched will report the exact mitigation effort to the Director of Technology Services or designate.
Violation of Policy
If it is suspected that this policy is not being followed, report the incident to Executive Associate Dean or the Director of Technology Services. Any exceptions to this policy must be approved in advance by both the Executive Associate Dean and the Director of Technology Services.
Any person found to have violated this policy will be subject to appropriate disciplinary action as defined by the provisions of Indiana University Policy IT-02, Policy on Sanctions for Misuse or Abuse of Indiana University Technology Resources.