Vulnerability and Patch Management Standard
Last Updated: May 2016
1.0 Overview
University of Michigan-Dearborn is responsible for ensuring the confidentiality, integrity, and availability of its data and that of customer/student data stored on its systems. University of Michigan-Dearborn has an obligation to provide appropriate protection against malware threats, such as viruses, Trojans, and worms which could adversely affect the security of the system or its data entrusted on the system (SPG 601.27 and 601.07). Effective implementation of this standard will limit the exposure and effect of common malware threats to the systems within this scope.
2.0 Purpose
This document describes the requirements for maintaining up-to-date operating system security patches on all University of Michigan-Dearborn owned and managed workstations and servers.
3.0 Scope
This standard applies to workstations or servers owned or managed by University of Michigan-Dearborn. This includes systems that contain university, student, faculty, and/or research data owned or managed by University of Michigan-Dearborn regardless of location. The scope of this standard includes (but is not limited to) the following systems, hardware, and operating systems have been categorized according to management:
- UNIX/Linux/Solaris/Apple Mac OS X servers and workstations (desktops and laptops)
- Microsoft Windows servers and workstations (desktops and laptops)
- Network Devices (switches, routers, wireless controllers, wireless access points)
- Embedded systems, appliances, digital signage, climate control/HVAC devices, and other critical infrastructure.
4.0 Policy
Workstations and servers owned by University of Michigan-Dearborn must have up-to-date operating system security patches installed to protect the asset from known vulnerabilities. This includes all laptops, desktops, and servers owned and managed by University of Michigan-Dearborn. Systems containing sensitive information are to be given the highest patching and update priority during times of limited personnel resources and/or time constraints. Critical or high risk zero-day vulnerabilities must be patched in less than 48 hours of a patch being released which remediates the vulnerability. If any zero-day vulnerability patch(es) and/or mitigation(s) are not immediately available at the time of notification of the zero-day vulnerability - these must be applied within 48 hours of the patch or mitigation method being made available publicly.
4.1 Patch Classification
Linux/UNIX patch classification will follow Red Hat standards:
| Level | Description |
|---|---|
| Critical | This rating is given to flaws that could be easily exploited by a remote unauthenticated attacker and lead to system compromise (arbitrary code execution) without requiring user interaction. These are the types of vulnerabilities that can be exploited by worms. Flaws that require an authenticated remote user, a local user, or an unlikely configuration are not classed as Critical impact. |
| Important | This rating is given to flaws that can easily compromise the confidentiality, integrity, or availability of resources. These are the types of vulnerabilities that allow local users to gain privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow remote users to cause a denial of service. |
| Moderate | This rating is given to flaws that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity, or availability of resources, under certain circumstances. These are the types of vulnerabilities that could have had a Critical impact or Important impact but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations. |
| Low | This rating is given to all other issues that have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences. |
Windows patch classification will follow Microsoft standards:
| Level | Description |
|---|---|
| Critical | A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email. Microsoft recommends that customers apply Critical updates immediately. |
| Important | A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised with warnings or prompts regardless of the prompt's provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered. Microsoft recommends that customers apply Important updates at the earliest opportunity. |
| Moderate | Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicable only to non-default configurations. Microsoft recommends that customers consider applying the security update. |
| Low | Impact of the vulnerability is comprehensively mitigated by the characteristics of the affected component. Microsoft recommends that customers evaluate whether to apply the security update to the affected systems. |
Nessus vulnerability scoring equivalents:
| Red Hat/Microsoft Classification | Nessus Equivalent |
|---|---|
| Critical | Critical |
| Important | High |
| Moderate | Medium |
| Low | Low |
4.2 Workstations
Desktops and laptops must have automatic updates enabled for operating system security patches. This should be the default configuration for all workstations built by University of Michigan-Dearborn. These security patches are required to be applied on a Monthly basis regardless of priority level. Exceptions to this standard must be approved by the Director of Information Technology at the University of Michigan-Dearborn and forwarded to the CISO for review. See Section 8.0 on Exceptions.
4.3 Servers
Servers must be patched at regular intervals; these patching intervals should be as frequent as possible. Monthly application of security patches is required; however it is highly recommended that servers with available zero-day, critical, and/or high risk security vulnerabilities should not be left un-patched greater than two weeks from the date of the release of the applicable security patch(s). Newly released critical/high severity zero-day vulnerabilities shall be patched in less than 48 hours. All other relevant operating system and software updates/patches must be applied no less frequently than on a monthly basis. These minimum baseline requirements are enforced in order to ensure the security of the University of Michigan-Dearborn assets and the data that resides on the system. Exceptions to this standard must be approved by the Director of Information Technology at the University of Michigan-Dearborn and forwarded to the CISO for review. See Section 8.0 on Exceptions.
5.0 Roles and Responsibilities
- ITS Infrastructure team will manage the patching needs for all Windows, Linux, UNIX, and Solaris servers on the network with the exception of Applications Team responsibilities as described immediately below.
- ITS Applications Team is responsible for patching coordination and timing requirements of business and student information systems, databases, and web applications. Additionally, in order to meet the requirements defined in this standard- responsibility for coordinating proper timing and frequency of operating system patching for underlying systems hosting all business and student information systems, databases, and web applications falls solely on ITS Applications Team leadership.
- ITS Operations and Infrastructure teams will collaboratively manage the patching needs of all workstations. ITS Operations team will manage the patching needs of printers, audio/video equipment, and other end-user accessible devices on the network.
- ITS Infrastructure team will manage the patching needs for all network devices which collectively keep the network operational and functional.
- Information Assurance is responsible for routinely assessing compliance with the patching policy and will provide guidance to all groups in issues of security and patch management.
- The Change Management team is responsible for approving the monthly and emergency patch management deployment requests.
- Non-ITS Functional Departments will be responsible for their respective systems such as HVAC, digital signage, embedded systems, fire alarms, and other critical infrastructure. This includes holding vendors accountable for adherence to this standard.
6.0 Monitoring and Reporting
The University of Michigan-Dearborn ITS department is responsible for compiling and maintaining adequate reporting metrics that summarize the outcome of each patching cycle. These reports shall be used to evaluate the current patching levels of all systems and to assess the current level of risk. These reports shall be made available to Information Assurance and Internal Audit upon request.
7.0 Enforcement
Implementation of this standard is ultimately the responsibility of all employees at University of Michigan-Dearborn. Responsibility for enforcement of this standard lies solely with the UM-Dearborn Director of Information Technology.
Information Assurance and Internal Audit may conduct random assessments to ensure compliance with this standard with or without notice. Any system found in violation of this standard shall require immediate corrective action(s). Violations shall be noted in the University of Michigan-Dearborn issue tracking system, and appropriate personnel, IT and/or non-IT, shall be assigned to remediate the issue. Repeated failures to follow this standard may lead to escalation to the office of the University of Michigan CISO.
8.0 Exceptions
All Exceptions to this patch management standard require documented approval from the Director of Information Technology at the University of Michigan-Dearborn. However, exceptions must ultimately be approved by the Office of the CISO if the exception(s) is/are to persist greater than one fiscal quarter; exceptions involving systems which contain sensitive information require immediate review by the Office of the CISO. Any servers or workstations housing sensitive information that do not comply with this particular standard or overarching SPG policies must have an approved exception on file with the Office of the CISO. Please consult the Office of the CISO or local Information Assurance representative for details on filing exceptions.
9.0 Definitions
Term Definition
CISO - Chief Information Security Officer
Sensitive Information - Refers to information whose unauthorized disclosure may have serious adverse effect on the University’s reputation, resources, services, or individuals. Information protected under federal or state regulations or due to proprietary, ethical, or privacy considerations will typically be classified as sensitive.
Confidentiality - Refers to the level of assurance that information is not made available or disclosed to unauthorized individuals, entities, or processes.
Integrity - Refers to the assurance that information is not accidentally or maliciously altered or destroyed.
Availability - Refers to the level of assurance that authorized users have access to information resources when required.
Patch - A piece of software designed to fix problems with or update a computer program or its supporting data
Zero-day vulnerabilityF19 FA2 - Refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.
Mitigation - Taking appropriate steps in order to reduce the overall impact and/or severity of an applicable vulnerability.