For over 100 years, Massachusetts Maritime Academy has been preparing women and men for exciting and rewarding careers on land and sea. As the nation's finest co-ed maritime college, MMA challenges students to succeed by balancing a unique regimented lifestyle with a typical four-year college environment. As a member of the cadet corps you will live, study, sail, work and play in an atmosphere that encourages you to be your best.
Patch Management Policy
The purpose of this policy is to ensure that hardware and software hotfixes, firmware updates, service packs, etc., henceforth referred to as “patches”, are adequately planned, assessed and tested before being installed on any production computer system at Massachusetts Maritime Academy (MMA). This will help to ensure that known vulnerabilities are removed and software issues that could adversely affect a system or its data are not installed on production systems.
This policy applies to all production computer hardware, software and workstations located at Massachusetts Maritime Academy.
Establishing vendor communication
Many hardware and software vendors release software that address issues which the vendor has recently discovered. The vendor subsequently releases a patch in order that clients do not have to wait for the next large, scheduled software release. In order to be made immediately aware of a patch release, MMA will ensure that a method of communication has been established with each hardware and software vendor to ensure this information is received by the appropriate person(s) in a timely manner.
SaaS and Cloud-hosted systems
When an MMA computer system is moved to the cloud, as SaaS or hosted, or when a contract for a new cloud-based system is executed, the process the vendor uses to apply patches must be thoroughly understood. The vendor must communicate to MMA when patches will be installed and if the system will require downtime for the patch installation to complete.
Patching of endpoints
Faculty and staff desktops and laptops must have automatic updates enabled for operating system and security patches. The patch installs should be done as a background process or when it will be the least disruptive to the end user, if it can not be done in the background.
Endpoints which are used in the classroom or a simulator do not have to be enabled for automatic updates if there is a possibility that patches would cause downtime and loss of teaching time. These patches should be planned to be installed after business hours to ensure they do not disrupt classes.
Testing patches for applications
Patches to applications should be reviewed to determine if they are appropriate for installation. If deemed appropriate for installation, a test plan should be created. The test plan must be executed on non-production systems only. The test plan will ensure that the software is sufficiently exercised in order that all potential problems are discovered. Whenever possible, if the patch is related to software functionality, end users should be involved in the testing process to ensure that functionality has not been adversely affected by the patch.
Scheduling a patch installation
A Change Management form must be created per the Change Management Policy for patches to production applications, servers and hardware. Installation of the patch will be scheduled once all approvals of the change are completed. The installation of the patch must take place during non-business hours, except in an emergency situation with prior approval of the Vice President of Technology and Library Services.
Notification to end-users
Advanced notification from the MMA Help Desk must be provided to all users to communicate when the patch will be installed and if the system will need to be shutdown/restarted.
Once the Help Desk has sent out a notification regarding a patch installation, a follow-up email must be sent out if there are any issues with the installation. Similarly, when the patch installation has successfully completed, a notification must be sent from the Help Desk stating that the patch installation has been completed and the system is available for use.
Monitoring and Reporting – Post-installation
Reports should be run on a monthly basis to determine if any MMA-owned PCs need operating system or security patches to be installed or system reboots are needed for patches to be fully installed. Efforts should be undertaken to install the missing patches or reboot the PCs as soon as possible.
Any production application, server or hardware should be closely monitored after a patch installation to ensure there are no negative affects from the patch.
Any employee found to have violated this policy may be subject to disciplinary action, per any applicable collective bargaining agreements.
Staff members of the Technology and Library Services division are responsible for the execution of this policy.
This policy is owned by the Vice President of Technology and Library Services, who will coordinate any and all revisions
|Framework||Regulations and Requirements||Supporting|
|SANS Top 20 Controls||PCI DSS - MA 201 - HIPAA||Standards and Procedures|
|CSC 3-2, CSC 4-5, CSC 4-8 – 4-10||
This section contains comments on any revisions that were made to this document and the date they were made.
|Version Number||Issued Date||Changes Made By||Description of Changes|
|1.0||2/3/2016||Anne Marie Fallon||Initial Draft|
|1.1||10/10/2019||Anne Marie Fallon||Multiple edits made.|
|1.2||10/15/2019||Anne Marie Fallon||Additional edits made.|
|1.3||10/31/2019||Anne Marie Fallon||Published the policy|