Patch Management Policy

Updated 10/31/19

Printable PDF of the Policy

Purpose

The purpose of this policy is to ensure that hardware and software hotfixes, firmware updates, service packs, etc., henceforth referred to as “patches”, are adequately planned, assessed and tested before being installed on any production computer system at Massachusetts Maritime Academy (MMA).  This will help to ensure that known vulnerabilities are removed and software issues that could adversely affect a system or its data are not installed on production systems.

Scope

This policy applies to all production computer hardware, software and workstations located at Massachusetts Maritime Academy.

Policy

Establishing vendor communication

Many hardware and software vendors release software that address issues which the vendor has recently discovered.  The vendor subsequently releases a patch in order that clients do not have to wait for the next large, scheduled software release.  In order to be made immediately aware of a patch release, MMA will ensure that a method of communication has been established with each hardware and software vendor to ensure this information is received by the appropriate person(s) in a timely manner.

SaaS and Cloud-hosted systems

When an MMA computer system is moved to the cloud, as SaaS or hosted, or when a contract for a new cloud-based system is executed, the process the vendor uses to apply patches must be thoroughly understood.  The vendor must communicate to MMA when patches will be installed and if the system will require downtime for the patch installation to complete. 

Patching of endpoints

Faculty and staff desktops and laptops must have automatic updates enabled for operating system and security patches. The patch installs should be done as a background process or when it will be the least disruptive to the end user, if it can not be done in the background.

Endpoints which are used in the classroom or a simulator do not have to be enabled for automatic updates if there is a possibility that patches would cause downtime and loss of teaching time.  These patches should be planned to be installed after business hours to ensure they do not disrupt classes.

Testing patches for applications

Patches to applications should be reviewed to determine if they are appropriate for installation.  If deemed appropriate for installation, a test plan should be created.  The test plan must be executed on non-production systems only.  The test plan will ensure that the software is sufficiently exercised in order that all potential problems are discovered.  Whenever possible, if the patch is related to software functionality, end users should be involved in the testing process to ensure that functionality has not been adversely affected by the patch.

Scheduling a patch installation

A Change Management form must be created per the Change Management Policy for patches to production applications, servers and hardware.  Installation of the patch will be scheduled once all approvals of the change are completed.  The installation of the patch must take place during non-business hours, except in an emergency situation with prior approval of the Vice President of Technology and Library Services.

Notification to end-users

Advanced notification from the MMA Help Desk must be provided to all users to communicate when the patch will be installed and if the system will need to be shutdown/restarted. 

Once the Help Desk has sent out a notification regarding a patch installation, a follow-up email must be sent out if there are any issues with the installation.  Similarly, when the patch installation has successfully completed, a notification must be sent from the Help Desk stating that the patch installation has been completed and the system is available for use.

Monitoring and Reporting – Post-installation

Reports should be run on a monthly basis to determine if any MMA-owned PCs need operating system or security patches to be installed or system reboots are needed for patches to be fully installed.  Efforts should be undertaken to install the missing patches or reboot the PCs as soon as possible.

Any production application, server or hardware should be closely monitored after a patch installation to ensure there are no negative affects from the patch.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, per any applicable collective bargaining agreements.

Responsibility

Staff members of the Technology and Library Services division are responsible for the execution of this policy. 

This policy is owned by the Vice President of Technology and Library Services, who will coordinate any and all revisions

References

Framework Regulations and Requirements Supporting
SANS Top 20 Controls PCI DSS - MA 201 - HIPAA Standards and Procedures
 CSC 3-2, CSC 4-5, CSC 4-8 – 4-10     

 

 

Revision History

This section contains comments on any revisions that were made to this document and the date they were made.

Version Number Issued Date Changes Made By Description of Changes
1.0 2/3/2016 Anne Marie Fallon Initial Draft
 1.1 10/10/2019 Anne Marie Fallon Multiple edits made.
1.2 10/15/2019 Anne Marie Fallon Additional edits made.
1.3 10/31/2019 Anne Marie Fallon Published the policy