This procedure is in support of the Institute Cyber Security Policy and the Data Protection Safeguards. Information Technology assets that are unpatched represent a risk to the Institute as both operating system and application security patches are often created in order to address vulnerabilities that could allow threat actors to exploit Institute systems. This could lead to the loss of confidentiality and integrity of Institute data as well as the loss of availability of Institute systems.
The Cyber Security Policy and the Data Protection Safeguards dictate that all institute assets (operating systems, applications, etc) deploy security patches within 30 days of release; a policy exception is required if this standard can’t be met. The following procedures clarify what is expected to meet this standard.
This procedure applies to all institute owned and managed systems and applications.
- System administrators must monitor all applicable vendor informational sites on a regular basis to stay aware of when operating system and application patches are made available.
Patches must be tested in an appropriate dev/test environment, when available, to understand the impact of deploying the patch in the production environment.
Prior to production deployment, a back out plan must be in place to roll back changes in the event the patch causes issues with the production environment.
Prior to production deployment, the Change Manager must approve the change to the production environment. A communication plan must be established 48 hours, at a minimum, before the change occurs.
If a patch cannot be implemented in the production environment within 30 days of the release, then an exception request must be filed and approved by Cyber Security. For approved exceptions, a monthly meeting between the exception requestor and Cyber Security must be established to review the progress of these exceptions.
The exception request must document why the patch cannot be implemented in the production environment and must enumerate mitigating controls that will be put in place to reduce the risk to the system and data given that the patch cannot be applied.
Georgia Tech Cyber Security will monitor for high severity vulnerabilities and communicate relevant remediation information to system administrators.