UIS.204.1 Asset Patch Management Guidelines
In support of UIS.204 Vulnerability Management Policy
Georgetown University has adopted the threat and vulnerability management principles established in NIST SP 800-171 “Risk Assessment” and “Security Assessment” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.
Vulnerability scans are performed on a regular, scheduled basis on all University assets; potential vulnerabilities are identified and validated, criticalities are assessed based on a tailored risk rating formula, and remediation actions taken in a timely manner to safeguard the University’s information technology systems and data.
Patch Management Requirements
All assets must maintain applicable and available up-to-date patches for operating systems (OS), applications and middleware.
Production assets must have automatic updates enabled for operating system patches.
Applications and middleware must have regular patching enabled for its software based on criticality.
Applicable patches and vulnerability remediations must be scheduled for deployment in accordance with the risk-based schedule outlined by the University information security office (UISO)
Vulnerability Remediation Schedule
Critical
Remediate within 48 hours
UIS Severity Rating greater than 5
- Remotely exploitable and/or
- CVSS greater than 8, and/or
- Vendor “Critical” (or equivalent)
High
Remediate within 7 days
- UIS Severity Rating greater than 4, and/or
- CVSS between 6 and 8, and/or
- Vendor “High” (or equivalent)
Medium
Remediate within 14 days
UIS Severity Rating greater than 3
- CVSS between 4 and 6, and/or
- Vendor “Medium” (or equivalent)
Low
Remediate within 30 days
- UIS Severity Rating lower than 3
- CVSS lower than 4, and/or
- Vendor “Low” (or equivalent)
- Teams responsible for applying patches are required to compile and maintain reporting metrics that summarize the outcome of each patching cycle.
- Patching activities are recorded in established Change Management Processes.
- Patching reports are up-to-date and available to University stakeholders as requested.
- If for any reason, patches cannot be deployed and installed on University production assets, the responsible system administrator has the responsibility to provide UISO with the patch deferment request immediately upon notification of that patch requirement.
- Any asset deemed non-compliant in terms of its patch status will be subject to compensating security controls that may include restricted/limited access or temporary to permanent removal from the University computing environment.
- Only the University Chief Information Officer (CIO) upon advice from the University Information Security Officer (CISO) can evaluate the risks presented by non-compliant computing systems and will determine the actions required to address them.