X-99.13(A)

UMB IT Patch Management Policy

Information Technology

---

Responsible VP/AVP

Peter J. Murray, PhD, CAS, MS

---

Applies to Staff

---

Policy Statement

Patch and vulnerability management is a security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The expected result is to reduce the time and money spent dealing with vulnerabilities and exploitation of those vulnerabilities. Proactively managing vulnerabilities of systems will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after exploitation has occurred.

All manufacturers of computer operating systems are susceptible to programming flaws that can introduce security risks.  Occasionally, one of those flaws permits a hacker to compromise those systems. A compromised computer threatens the integrity of the network and all computers connected to it. Therefore, all systems connected to the campus network must have up-to-date critical security patches applied.

---

Purpose

To ensure systems do not pose an unmanaged security risk for the campus, by ensuring applicable and required security patches are applied in a timely and effective manner. 

---

Scope

This policy applies to every workstation physically (including wireless) connected to any part of the campus network.

---

Responsibilities

To comply with the USM Guidelines in Response to the State IT Security Policy which requires USM institutions to implement formal controls on all institutionally owned systems that store and/or access nonpublic information.

---

Compliance

Implement a systematic, accountable, and documented process for managing exposure to vulnerabilities through the timely deployment of patches.