UMB IT Patch Management Policy
X-99.13(A) | Information Technology | Approved May 13, 2025
Responsible VP/AVP: Peter J. Murray, PhD, CAS, MS
Applies to: Staff
Revision History
Reviewed 04/30/2024
Purpose
Addressing IT security vulnerabilities effectively and efficiently through the application of security patches reduces the risk of device, information system and data exploitation. This policy outlines the responsibilities and procedures for managing vulnerabilities and applying patches to ensure the security and integrity of UMB's information systems, computing devices, and data.
Policy Statement
UMB information systems and computing devices must be regularly assessed for security vulnerabilities. A regular, ongoing process of applying security patches to UMB owned systems and devices must be followed. A security vulnerability identified as a zero-day vulnerability by trusted sources, such as CISA (Cybersecurity and Infrastructure Security Agency), must be addressed immediately. Critical or high-rated vulnerabilities reported to MITRE’s CVE (Common Vulnerabilities and Exposures) must be fixed within 30 days of a vendor’s patch or hotfix release. If there is a compelling reason for why a patch cannot be applied to a critical or high vulnerability within 30 days, an exception must be requested from UMB IT Security and Compliance. IT Security and Compliance will review, assess, and document the situation and determine if a temporary exception can be approved. Security vulnerabilities rated medium or low need to be patched as soon as possible.
Scope and Exceptions
This policy applies to all UMB computing devices and information systems, which includes all software, hardware, and network components. It covers all stages of vulnerability management, from identification and assessment to remediation.
Roles and Responsibilities
UMB IT Security and Compliance: Responsible for conducting regular vulnerability scans, assessments and maintaining records of security vulnerabilities and remediations.
Computing Device and Information System Owners: Responsible for applying patches and ensuring that UMB computing devices and information systems are compliant with this policy, and for reporting any issues or requested exceptions to UMB IT Security and Compliance.
PROCEDURES
Vulnerability Assessment: Conducting regular scans to identify vulnerabilities in UMB information systems.
Patch Management: Applying security patches promptly to address identified vulnerabilities. Document and approve any exceptions.
Monitoring and Reporting: Monitoring systems for compliance with this policy and reporting any deviations to the UMB Chief Information Security Officer.