Server and Workstation Patch Management Policy
Contact
Information Technology Services (ITS)Humanities 316
651-696-6525
helpdesk@macalester.edu
Hours
Overview
Macalester College is responsible for ensuring the confidentiality, integrity, and availability of its data and that of community members stored on its systems. Macalester College has an obligation to provide appropriate protection against malware threats, such as viruses, Trojans, and worms which could adversely affect the security of the system or the data residing on the system. Effective implementation of this policy will limit the exposure and effect of common malware threats to the systems within this scope.
Purpose
This document describes the Information Technology Services (ITS) requirements for maintaining up-to-date operating system security patches on all Macalester College owned and managed workstations and servers.
Scope
This policy applies to workstations or servers owned or managed by Macalester College. This includes systems that contain college or community member data owned or managed by Macalester College regardless of location. The following systems have been categorized according to asset type:
- Linux and Microsoft Windows servers managed by the Infrastructure Team
- Workstations (desktops and laptops) managed by the Infrastructure Team
- Non-ITS servers and workstations owned by Macalester, but managed and maintained through partnership and joint responsibility of ITS and the controlling collegiate unit (e.g., academic department).
Note: All servers, whether owned and/or managed by Macalester College or not, that are deployed on the Macalester network must comply with the requirements of the Policy for Deployment of Network Servers.
Policy
Workstations and servers owned by Macalester College must have an up-to-date, vendor supported, operating system with security patches installed to protect the asset from known vulnerabilities. Workstations and servers that are no longer receiving active vendor provided security patches are not allowed to remain connected to the Macalester network and are to be taken out of service unless there is an agreed upon exception on file. This includes all laptops, desktops, servers and network devices owned and managed by Macalester College.
Workstations
Infrastructure in consultation with Client Services adheres to a rubric for updating the operating system patches of workstations (laptops, desktops) based on user roles and machine purpose. The rubric is intended to optimize patch installation in a manner that minimizes interruption to mission critical (e.g., instructional delivery) activities and may or may not employ automatic updating. This is the default configuration for all workstations configured by Macalester College. See below for exceptions.
Servers
Servers (including non-ITS) and network devices must comply with the minimum baseline requirements that have been approved by Infrastructure. These minimum baseline requirements define the default operating system level, service pack, hotfix, and patch level required to ensure the security of the Macalester College asset and the data that resides on the system. See below for exceptions.
Roles and Responsibilities
- Infrastructure will manage the patching needs for all servers and network devices on the network,
- Infrastructure will manage the patching needs of all workstations on the network.
- Information Security Officer is responsible for routinely assessing compliance with the patching policy and will provide guidance to all groups in issues of security and patch management.
Enforcement
Implementation and enforcement of this policy is ultimately the responsibility of all employees at Macalester College. ITS may conduct random assessments to ensure compliance with policy without notice. Any system found in violation of this policy shall require immediate corrective action. Violations shall be noted in the Macalester College issue tracking system and support teams shall be dispatched to remediate the issue. Repeated failures to follow policy may lead to disciplinary action.
Exceptions
Exceptions to the patch management policy require formal documented approval from the Information Security Officer. Any servers or workstations that do not comply with policy must have an approved exception on file with the Security Officer. Requests for exceptions should be made to ITS Associate Director for Information Security and Infrastructure.
Definition of Terms
- Patch: A piece of software designed to fix problems with or update a computer program or its supporting data.
- Trojan: A class of computer threats (malware) that appears to perform a desirable function but in fact performs undisclosed malicious functions.
- Virus: A computer program that can copy itself and infect a computer without the permission or knowledge of the owner.
- Worm: A self-replicating computer program that uses a network to send copies of itself to other nodes. May cause harm by consuming bandwidth.