UIS.204.2 End-user Patch Management Guidelines

In support of UIS.204 Vulnerability Management Policy

Georgetown University has adopted the security audit and accountability principles established in NIST SP 1800-5 “IT Asset Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework. 

Vulnerability scans are performed on a regular, scheduled basis on all University assets; potential vulnerabilities are identified and validated, criticalities are assessed based on a tailored risk rating formula, and remediation actions taken in a timely manner to safeguard the University’s information technology systems and data.  

End User Patch Management Requirements

  1. All end-user desktops and laptops (workstations) must maintain applicable and available up-to-date patches for operating systems (OS), applications and middleware.

    • All workstations, including those used as well as loaners and test computers, must have automatic updates enabled for operating system patches. 

    • Applications and middleware must have regular patching enabled for its software based on criticality.

    • Critical workstation vulnerabilities are addressed in accordance with the Critical Vulnerabilities Guide  

  2. Applicable out-of-band patches must be scheduled for deployment in accordance with the risk-based patch deployment schedule outlined by the University information security office (UISO)

  3. Teams responsible for applying patches are required to compile and maintain reporting metrics that summarize the outcome of each patching cycle.   

  4. Patching activities are recorded in established Change Management Processes.   

  5. Patching reports are up-to-date and available to University stakeholders as requested.

  6. If for any reason, patches cannot be deployed and installed on University workstations, the responsible system administrator has the responsibility to provide UISO with the patch deferment request immediately upon notification of that patch requirement.  

  7. Any workstations deemed non-compliant in terms of its patch status will be subject to compensating security controls that may include restricted/limited access or temporary to permanent removal from the University computing environment.  

  8. Only the University Chief Information Officer (CIO) upon advice from the University Information Security Officer (CISO) can evaluate the risks presented by non-compliant computing systems and will determine the actions required to address them.