Patch Management Policy

1.     Purpose

1.1.  This policy describes the requirements for maintaining up-to-date operating system patching, security patches and installed software version levels on all Aberystwyth University owned IT equipment and services.

2.     Scope

2.1.  This policy is applicable to all Aberystwyth University employees; it should be understood and used by them as necessary to perform their duties.  It is applicable to:

• Workstations, laptops, mobile phones, PDAs, iPads, tablets, servers, networks, hardware devices, software and applications owned by Aberystwyth University.  This includes third party devices used to support AU services.
• CCTV systems where recordings are backed up to the University’s networks.
• EPOS systems using Aberystwyth University networks.
• Research devices and technologies: this policy should be complied with as much as possible. However, depending on the specific nature of the devices and technologies used for research it is recognised that there will need to be some exceptions. Any exceptions must be raised with the Aberystwyth University Cyber Security Officer.

3. Policy

3.1.  University controls:

• All IT systems (as defined in section 2), either owned by Aberystwyth University or those in the process of being developed and supported by third parties, must be manufacturer supported and have up-to-date and security patched operating systems and application software.
• Security patches must be installed to protect the assets from known vulnerabilities.
• Any patches categorised as ‘Critical’ or ‘High risk’ by the vendor must be installed within 7 days of release from the operating system or application vendor.
• Other vulnerabilities must be patched in accordance with the Vulnerability Management Policy.

3.2.  Third Party Suppliers

Security patches must be up to date for IT systems which are being designed and delivered by       third party suppliers prior to going live.  Third party suppliers must apply patches as stipulated below and be prepared to provide evidence of up-to-date patching before IT systems are accepted into service and thus become operational. 

Once the IT systems are operational the following timescales apply:

• Critical or High-Risk vulnerabilities – 14 calendar days
• Low / Medium – 21 calendar days

3.3 Exceptions

Any exceptions must be raised with Aberystwyth University Cyber Security Officer

4.    Supporting Policies

4.1.  This policy should be read in conjunction with other associated policies such as:

• BYOD Policy
• Device Management Policy
• Anti Virus/Malware Policy
• Information Security Policy
• IT Regulations
• Remote Access Policy
• VPN Policy
• Software Management Policy
• Vulnerability Management Policy

This Policy is maintained by Information Services, was last reviewed in August 2023 and are due for review in August 2024