Red X iconGreen tick iconYellow tick icon
Category Information & Communications Technology
Type Procedure
Approved by Vice-Chancellor, August 2009
Date Procedure Took Effect 27 August 2009
Last approved revision 30 June 2011
Sponsor Director, Information Technology Services
Responsible officer Manager Information Security

Purpose

This Procedure outlines the steps that are required to ensure security patches are applied to software.

Organisational scope

This Procedure applies University-wide.

Definitions

CITSP
Community of IT Support Professionals

Content

From time to time software suppliers release patches to close security 'holes' in their software. It is very important that the security patches are applied to vulnerable computers, including personal computers and servers. However, applying patches before testing for the possible side effects they may cause - such as the disabling of features employed and relied upon by a user community - raises concerns. In general it is certainly not good practice to apply patches, or load new software, without testing.

The disruption caused by a successful penetration of computer systems can be, and often is, very significant. The potential 'breakage' of a software element or facility, caused through applying a patch without comprehensive testing, needs to be weighed against the disruption caused by a security incident.  It is important that the University lays out procedures the computer administrators can refer to and rely on to support their actions.

1. Procedure

All University computer controllers (the term 'controller' is defined in the University's Information Technology (Computing) Regulations) shall have processes in place to ensure that security patches are applied on a regular and timely basis to all computers under their management.

Further, all controllers of non-university owned computers connected to the University network shall also undertake to apply security patches in a timely manner. This includes home computers connecting to the University network via the University dial-up service and laptops and other systems registered for use on the University network.

In the event that the University considers that a particular security patch must be applied immediately in order to protect itself from a major security incident the University may issue an Urgent Patch Bulletin.

a. Urgent Patch Bulletins

Urgent Patch Bulletins shall:

  1. Be announced on the University security and CITSP mailing lists, and emailed to all people who have registered non-University owned computers for access to the University networks.
  2. Be released only by the Manager, Information Security or the Director of Information Technology Services
  3. Require all affected systems to be patched within a time frame specified
  4. Generally only be issued after the release of the patch has been well publicised and there are known exploits for the vulnerability

In the event that computer systems may not be able to be patched within the timeframes required they should be protected from inappropriate network traffic with either fire walling software or appliances, or if that is not possible then they should be removed from the network until they are patched.

Related policies, procedures and forms

Back to top