2023

SP-10 IT Patch
Management Policy

STATUS – UNDER REVIEW

VERSION - 1

KURT MILLER, SNOWBE ONLINE | 6/25/2023

<Template Policy> – V 1.0
Status:  Working Draft  Approved  Adopted
Document owner:
2/3/2022

Purpose
This document establishes the patch management policy for the Company of SnowBe. This
policy defines requirements for the management of information security vulnerabilities and the
notification, testing, and installation of security-related patches on devices connected to the
Company network. This policy applies to all information systems and information resources
owned or operated by or on behalf of the Company.

SnowBe is committed to ensuring a secure computing environment and recognizes the need to
prevent and manage IT vulnerabilities. A compromised computer threatens the integrity of the
network and all computers connected to it. Patch and vulnerability management is a security
practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within
an organization. Proactively managing vulnerabilities will reduce or eliminate the potential for
exploitation and involve inconsiderably less time and effort than responding after exploitation
has occurred.

The purpose of this policy is to ensure that all Company-owned devices are proactively
managed and patched with appropriate security updates.

Scope
All users and system administrators of SnowBe network Resources.
All things that comprise or connect to SnowBe network.
All users who are conducting SnowBe business using external networks.

Definitions
Patch Management: Refers to a formal process for applying patches to systems and resources
in order to protect against vulnerabilities
IT: Information Technology
Change Management Log Report: Log that is maintained by IT Staff Members related to
changes in the IT Environment, including recording of patches.
Patch: Software or firmware update provided by the application or system vendor.
Third-Party Vendors: Third-Party Vendors are vendors that the institution does business with.
In the case of patch management, these third-party vendors are software and hardware
vendors in which the institution uses their product for business purposes.

Roles & Responsibilities

Office of Information Technology (Technical Services, Director of IT for security & CIO):
Update of policy

1
<Template Policy> – V 1.0
Status:  Working Draft  Approved  Adopted
Document owner:
2/3/2022

Policy
This policy provides the processes and guidelines necessary to:
• Maintain the integrity of network systems and data by applying the latest operating
system and application security updates/patches in a timely manner.
• Establish a baseline methodology and timeframe for patching and confirming patch
management compliance.
Desktops, laptops, servers, applications, network devices represent access points to sensitive
and confidential company data, as well as access to technology resources and services. Ensuring
updates and patches are distributed and implemented in a timely manner is essential to
maintain system stability and mitigate malware, exploitation, and security threats.

All system components and software shall be protected from known vulnerabilities by installing
applicable vendor supplied security patches. System components and devices attached to the
SnowBe network shall be regularly maintained by applying critical security patches within thirty
(30) days after release by the vendor. Other patches that are medium/high severity or for non-
critical systems must be rolled out within ninety (90) calendar days. Any low priority patches
will be installed on a case-by-case basis. All patches should be tested on development systems
before being rolled out to production, where possible.

In the case where patches cannot follow the aforementioned schedule, a document must be
produced explaining why the patch must be deferred. Permissible deferrals may include a lack
of appropriate change windows within the appropriate timeframe or a conflict with other
critical changes scheduled at the time. Any patches which are to be deferred longer than the
scheduled timeframe must be approved by the Director of IT for Security or Chief Information
Officer or his/her assignee. All deferred patches must be reviewed at least quarterly.

Patches on production systems (e.g., servers and enterprise applications) may require complex
testing and installation procedures. In certain cases, risk mitigation rather than patching may be
preferable. The risk mitigation alternative selected should be determined through an outage
risk to exposure comparison. The reason for any departure from the above standard and
alternative protection measures taken shall be documented in writing for devices storing non-
public data.

On occasion a software vendor will release a highly critical security patch outside of their
normal release cycle. The usual reason for the release of an out-of-band patch is the
appearance of an unexpected, widespread, destructive exploit that will likely affect a large
number of users. In the event of a published out of band patch, IT will expedite the validation
process. Once validated, users will have one business day to install and reboot their machine to
apply the patch. IT will communicate appropriately regarding any critical patches outside the
normal release cycle.

2
<Template Policy> – V 1.0
Status:  Working Draft  Approved  Adopted
Document owner:
2/3/2022

All Company-owned endpoints are to be critical operating systems and key application patches
installed within 30 days of release from the vendor. This policy applies to all Enterprise Servers
which are owned by the Company. It also applies to Company-issued endpoints bound to Active
Directory (AD).
Third-Party Vendor Patch Management
Third-party patch management is the process of installing patches to third-party applications
(software or hardware/firmware), that are installed on premise or in the cloud for use by the
institution. Patch management addresses bugs or vulnerabilities in the software or firmware.
Third-party patching is critical for the security of our organization and assists us in preventing
data breaches.

The third-party software/application patch management process is essential. Most institution

third party vendors in which the institution uses their software that is in the cloud as a Software
as A Service (SaaS) adheres to a patch release schedule and applies critical patches immediately
when a vulnerability is discovered. The Administrative Systems area of Information Technology
records the patch schedule of all software related to the use in administrative offices that are
SaaS and on premises. The Technical Services area of Information Technology oversees the
patch schedule on applications or firmware that they oversee.
Procedures
Software vendors release security patches on a regular schedule. Applicable patches will be
tested and validated by IT prior to deployment to the company. Once validated, IT will schedule
and deploy validated patches to end points on a monthly basis. Communication to the company
regarding deployed security patches will be done through Company Communications.

A system reboot is required to successfully install most security patches. Until the reboot
occurs, the computer remains vulnerable to attacks which the installed patch protects against.
IT understands the impact all ill-timed reboots can have on the company community and user
productivity. In order to provide the Company community with as much flexibility as possible,
security updates will be deployed after regular hours on servers, devices and hardware when
possible. End User machine updates take place on the next reboot by end user, typically. Typical
normal down time for patches to be applied at the Company is generally Thursday mornings
between 1:00am and 5:00am. Third-party vendor software and firmware patch management is
overseen by administrative systems and technical services within the Office of Information
Technology. A log is kept recording the patch management activity per application and/or
firmware that the institution uses for patch management. IT is looking at implementing Patch
my PC for window machines and JAMF for Macs for an automatic way to record patch
management for local machines. SaaS applications are documented manually.

3
<Template Policy> – V 1.0
Status:  Working Draft  Approved  Adopted
Document owner:
2/3/2022

Exceptions/Exemptions
1. Exceptions to the guiding principles in this policy must be documented and formally
approved by the IT Director.
2. Policy exceptions must describe:
2.1. The nature of the exception
2.2. A reasonable explanation for why the policy exception is required
2.3. Any risks created by the plan exception
2.4. Evidence of approval by the IT Director

Enforcement
Staff members found in policy violation may be subject to disciplinary action, up to and
including termination.

Version History Table

Date Version Description of Changes Owner Approval
6/25/2023 1 Policy Creation IT Director IT Director

Citation
https://www.mountunion.edu/documents/hidden%20pages/company%20policies/technol
ogy/it%20patch%20management%20policy.pdf