PATCH

MANAGEMENT
POLICY

Status - under review

Document Owner – James Williams
Last Review Date – July 20th, 2022
Version 1.0
<Template Policy> – V 1.0
Status: x Working Draft o Approved o Adopted
Document owner: James Williams
7/20/2022

SnowBe IT Policy

Purpose
1.1 This document describes the requirements for maintaining up-to-date systems and
software on all IT Systems managed or maintained by the Snowbe.

1.2 The Snowbe has a responsibility to uphold the confidentiality, integrity

and availability of the data held on its IT systems on and off site which includes systems
and services supplied by third parties but managed by the Snowbe.

1.3 The Snowbe has an obligation to provide appropriate and adequate protection of all its
IT estate whether physical, virtual, on premise or in the Cloud.

1.4 Effective implementation of this policy reduces the likelihood of system compromise due
to known vulnerabilities. 

Scope
 All IT systems owned by the Snowbe and managed by the SnowbeIT department.

 All IT systems used by the Snowbe but managed by third parties

Definitions-
System Owners includes Business Systems Managers, Assistant Systems Support
Analysts and Business Systems Support Analysts.

The Snowbe’s IT department includes the Core Systems Manager, Solutions Analyst,
1
<Template Policy> – V 1.0
Status: x Working Draft o Approved o Adopted
Document owner: James Williams
7/20/2022

Deputy Director IT and IT Security Manager.

IT Systems refers to:

 Physical Servers
 Virtual Servers
 Cloud hosted Servers
 Third Party Managed Servers
 End user compute devices (laptops/desktops etc.)
 Mobile devices (phones, tablets etc.)
 Server Operating Systems (both Microsoft and non-Microsoft)
 Server Applications – (i.e.: Microsoft IIS or SQL etc.)
 EUC Applications – (i.e.: Productivity Tools such as MS Office, Adobe Reader,
 and Web Browsers etc.)
 Device Firmware

Roles & Responsibilities

Chief Information Officer is accountable for ensuring that the software update and
patching policy is adhered to.

IT Services Manager - is responsible for ensuring that in scope software is

maintained through regular software updates and patching.

System owners - are responsible for ensuring that all in scope software they manage is
maintained through regular software updates and patching.

The IT department - is responsible for ensuring that all in scope software they
manage is maintained through regular software updates and patching. The IT department will
provide guidance to all the stakeholder groups in relation to issues of security and patch
management.

Third Party Suppliers - are responsible for ensuring that all in scope software they
manage is maintained through regular software updates and patching, both before and
during their operational deployment. Where this is not possible, this must be escalated to
the Snowbe IT department.

Policy

2
<Template Policy> – V 1.0
Status: x Working Draft o Approved o Adopted
Document owner: James Williams
7/20/2022

All IT systems either owned by the Snowbe or those in the process of being developed and
supported by third parties, must be licensed appropriately, supported by the manufacturer and
be running up-to-date and patched Operating systems and application software. Any IT system
that is no longer licensed or supported by the manufacturer will be
removed from the Snowbe network.

To protect the Snowbe’s IT systems from known vulnerabilities, security patches must
be deployed in a suitable time frame. Unless prevented by SnowbeIT Procedures,
patches should be deployed as per the following schedule:

 Vendor vulnerability classification Full deployment within (calendar days)

 Critical 14
 High 14
 Medium 21
 Low 28

Where the deployment of ‘Critical’ or ‘High risk’ security patches within 14 days is not
possible, either appropriate compensating controls or a temporary means of mitigation
must be applied to reduce the exposure faced by the Snowbe’s IT systems.

Third party suppliers must be prepared to provide evidence of up-to-date patching before
IT systems are accepted into operational service.

New systems must be patched to the current agreed baseline before coming online in
order to limit the introduction of new threats.

Servers must comply with the recommended minimum requirements that are specified
by the Snowbe’s IT department which includes the default operating
system level; service packs; hotfixes and patching levels. All exceptions shall be
documented by the Snowbe’s IT department.

Microsoft patches are scheduled to deploy the first Monday after “Patch Tuesday”. This
is the unofficial name used to refer to the day Microsoft releases its security patches
which typically occurs on the second Tuesday of each month.

Servers managed by the Snowbe’s IT department will apply regular

patches according to the IT department’s defined schedule:

Patches for key business systems, such Finance and the Student records systems are
patched manually in a controlled manner. All patches must be tested prior to full
implementation since patches may result in unforeseen issues.

3
<Template Policy> – V 1.0
Status: x Working Draft o Approved o Adopted
Document owner: James Williams
7/20/2022

Testing will be carried out using a Test system that closely matches the production
systems. Where there is no Test system then patch results from another non-key
production system will be used and the results of any patch will be closely monitored for
adverse effects. User Acceptance Testing (UAT) of the business system must be completed after
controlled patching completes.

A remediation plan that allows for the return to a working state must be in place prior to
any patching. This could be either rolling back to a last known good state or fixing
forward (e.g.: removing patches from the system and/or restoration of previous backup
from Microsoft DPM or Azure Backup Service or deploying a more recent hotfix to
correct a problem introduced by a patch).

Systems that are removed from the network as a result of insufficient patching will only
be reconnected when it can be demonstrated that they have been brought up to date
and are no longer present a risk to the Snowbe’s network.

Those with patching roles as detailed in section 3 are required to compile and maintain
reporting metrics that summaries the outcome of each patching cycle. These reports
shall be used to evaluate the current patching levels of all systems and to assess the
current level of risk. Snow Be will endeavor to achieve 100% compliance for patching Operating
Systems under its management.

This policy is subject to review every 6 months to ensure that it is accurate, effective and
up to date.

Exceptions/Exemptions
Exceptions to the patch management policy require formal documented approval from
the Deputy Director of IT.

Enforcement-
N/A

4
<Template Policy> – V 1.0
Status: x Working Draft o Approved o Adopted
Document owner: James Williams
7/20/2022

Version History Table

Implantation date Document Approved Descriptio Version

Version History Table

owner By n
July 20th, 2022 James James N/A 1.0
Williams Williams

Sans Library template:

https://www.roehampton.ac.uk/globalassets/documents/corporate-information/policies/
cyber-security-policies/patch-management-policy.pdf