Server Patching Policy (2.3-1)

Purpose

Saginaw Valley State University is committed to ensuring a secure computing environment by proactively keeping the University's critical infrastructure patched in a timely manner.  In addition, this policy defines server-patching procedures outlined by the Information Technology Change Management Guidelines for assessing, scheduling and approving server patches.  Proactively applying patches will reduce or eliminate the potential for exploitation and require less time and effort if a system was compromised.

Server Patching

Scope

All servers owned or managed by SVSU Information Technology will download patches from a trusted source.  The patches are scheduled and applied using the ITS Change Control process.  The servers included, but not limited to, Microsoft Windows, Linux, and VMWare.  The majority of servers are currently patched by SCCM, (2x per month) those that aren't capable are updated monthly via a manual patching process. 

Emergency Patching

Emergency patches are given high priority for assessment, scheduling, and approval.  When an emergency patch is available, it is assessed, scheduled, and approved using the ITS Change Management Guidelines. CVSS 9-10 (high) should be patched within 24 hours.

Routine Patching

Routine patching of servers is assessed, scheduled, and approved using an eight-week patch rotation following the ITS Change Management Guidelines.  Routine patching may occur during the day or at night, SCCM patching follows a strict schedule on a monthly basis. 

Special Patching Considerations

Patching of the Colleague ERP production and test systems is performed 3 times per year in February, June, and October.  Patching is performed more frequently if critical time-sensitive security patches are released.

Patching Schedule

  • Refer to the individual Configuration Items Change Calendar for specifics on patching schedules.

Patching Exceptions

Due to risks of patching during peak usage or registration, updates/patches may be approved for installation on a different schedule.  These exceptions will be evaluated on a case-by-case basis and must be approved through the change management control cycle.

Monitor and Reporting

There is a TDX and SCCM report for server patch monitoring and reporting.

Print Article

Related Articles (2)

This document will outline the process to be followed for tracking the lifecycle of IT assets. IT assets include end-user devices, classroom technology, servers, networking devices, software and applications.
The purpose of the ITS Change Management Guidelines is to document the methodology, policies, procedures and processes to be used for ITS change management at Saginaw Valley State University (SVSU). This document is not meant to be a change management training document.
This is an internal ITS document and is not intended to be incorporated into the SVSU Operations Manual.