MenuSearchA-ZSeven Schools One University

Menu

Close Menu
Info For
Resources
Seven Schools One University

A–Z

Close Menu

Information Technology Policies

UMB IT Patch Management Policy

X-99.13(A)  |  Information Technology  |  Approved May 13, 2025

Responsible VP/AVP: Peter J. Murray, PhD, CAS, MS

Applies to: Staff

Revision History

Reviewed 04/30/2024

Purpose

Addressing IT security vulnerabilities effectively and efficiently through the application of security patches reduces the risk of device, information system and data exploitation. This policy outlines the responsibilities and procedures for managing vulnerabilities and applying patches to ensure the security and integrity of UMB's information systems, computing devices, and data.

Policy Statement

UMB information systems and computing devices must be regularly assessed for security vulnerabilities. A regular, ongoing process of applying security patches to UMB owned systems and devices must be followed. A security vulnerability identified as a zero-day vulnerability by trusted sources, such as CISA (Cybersecurity and Infrastructure Security Agency), must be addressed immediately.  Critical or high-rated vulnerabilities reported to MITRE’s CVE (Common Vulnerabilities and Exposures) must be fixed within 30 days of a vendor’s patch or hotfix release. If there is a compelling reason for why a patch cannot be applied to a critical or high vulnerability within 30 days, an exception must be requested from UMB IT Security and Compliance. IT Security and Compliance will review, assess, and document the situation and determine if a temporary exception can be approved.  Security vulnerabilities rated medium or low need to be patched as soon as possible. 

Scope and Exceptions

This policy applies to all UMB computing devices and information systems, which includes all software, hardware, and network components. It covers all stages of vulnerability management, from identification and assessment to remediation.

Roles and Responsibilities

UMB IT Security and Compliance: Responsible for conducting regular vulnerability scans, assessments and maintaining records of security vulnerabilities and remediations.

Computing Device and Information System Owners: Responsible for applying patches and ensuring that UMB computing devices and information systems are compliant with this policy, and for reporting any issues or requested exceptions to UMB IT Security and Compliance.

 

PROCEDURES

Vulnerability Assessment: Conducting regular scans to identify vulnerabilities in UMB information systems.

Patch Management: Applying security patches promptly to address identified vulnerabilities. Document and approve any exceptions.

Monitoring and Reporting: Monitoring systems for compliance with this policy and reporting any deviations to the UMB Chief Information Security Officer.


The University of Maryland, Baltimore is the founding campus of the University System of Maryland.

620 W. Lexington St., Baltimore, MD
21201 | 410-706-3100

The University of Maryland, Baltimore prohibits sex discrimination in any education program or activity that it operates. Individuals may report concerns or questions to the Title IX Coordinator. Read the UMB Notice of Non-Discrimination.
© 2024-2025 University of Maryland, Baltimore. All rights reserved.