|Category||Information & Communications Technology|
|Approved by||Vice-Chancellor, August 2009|
|Date Procedure Took Effect||27 August 2009|
|Last approved revision||30 June 2011|
|Sponsor||Director, Information Technology Services|
|Responsible officer||Manager Information Security|
This Procedure outlines the steps that are required to ensure security patches are applied to software.
This Procedure applies University-wide.
- Community of IT Support Professionals
From time to time software suppliers release patches to close security 'holes' in their software. It is very important that the security patches are applied to vulnerable computers, including personal computers and servers. However, applying patches before testing for the possible side effects they may cause - such as the disabling of features employed and relied upon by a user community - raises concerns. In general it is certainly not good practice to apply patches, or load new software, without testing.
The disruption caused by a successful penetration of computer systems can be, and often is, very significant. The potential 'breakage' of a software element or facility, caused through applying a patch without comprehensive testing, needs to be weighed against the disruption caused by a security incident. It is important that the University lays out procedures the computer administrators can refer to and rely on to support their actions.
All University computer controllers (the term 'controller' is defined in the University's Information Technology (Computing) Regulations) shall have processes in place to ensure that security patches are applied on a regular and timely basis to all computers under their management.
Further, all controllers of non-university owned computers connected to the University network shall also undertake to apply security patches in a timely manner. This includes home computers connecting to the University network via the University dial-up service and laptops and other systems registered for use on the University network.
In the event that the University considers that a particular security patch must be applied immediately in order to protect itself from a major security incident the University may issue an Urgent Patch Bulletin.
a. Urgent Patch Bulletins
Urgent Patch Bulletins shall:
- Be announced on the University security and CITSP mailing lists, and emailed to all people who have registered non-University owned computers for access to the University networks.
- Be released only by the Manager, Information Security or the Director of Information Technology Services
- Require all affected systems to be patched within a time frame specified
- Generally only be issued after the release of the patch has been well publicised and there are known exploits for the vulnerability
In the event that computer systems may not be able to be patched within the timeframes required they should be protected from inappropriate network traffic with either fire walling software or appliances, or if that is not possible then they should be removed from the network until they are patched.