Skip to main content

Vulnerability and Patch Management Policy

Due to increasing cyber security threats and attacks, the campus has mandated the following Vulnerability and Patch Management Policy. It is everyone’s responsibility to ensure all university-owned computers, including laptops and work-from-home devices remain compliant with this policy.  Computers that go long periods of time without connecting to the Internet and our management tools are at greater risk because they are not getting regular security updates.  Therefore, the SOM Information Security Office, along with your departmental IT groups, will be implementing new enforcement actions regarding inactive computers to ensure compliance.  

It is the expectation of everyone that has been provided a university-owned computer, including laptops and work-from-home devices, that the computer remains powered on and connected to the Internet for a minimum of 24 consecutive hours each week.   This connection time allows the computer to receive critical security updates.

Beginning October 14, 2024, computers not adhering to the above expectation will be identified and a progressive remediation effort will be initiated.   These remediation steps are outlined below:

  • Step 1 – If a computer has not been observed as online in the last 14 consecutive days, the identified user of the computer will be contacted via email with a reminder to connect the device to the Internet for a minimum of 24 consecutive hours.
  • Step 2 - If a computer has not been observed as online in the last 21 consecutive days, the identified user will be notified via email with a reminder to connect the computer to the Internet for a minimum of 24 consecutive hours and that the computer will have network access disabled if not connected within 7 days.
  • Step 3 – If a computer has not been observed as online in the last 28 consecutive days, the computer will have network access disabled and a notification via email will be sent to the identified user requesting that they coordinate a time with their departmental IT support group to re-activate network connectivity and ensure security updates are installed.
  • Step 4 - If a computer has not been observed as online in the last 60 consecutive days, the identified user of the device will be notified that they are required to return the device to their departmental IT support group.

Please understand that device vulnerabilities are a concern at the highest levels of the school and campus due to increasing threats.

Thank you for your cooperation in keeping our systems secure. If you have any questions, please reach out to the SOM Information Security Office at iso-alert@som.umaryland.edu

 

UMB Vulnerability and Patch Management Policy


I. OVERVIEW

Vulnerability and patch management is a security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. Proactively addressing vulnerabilities of UMB owned systems and devices through the application of security patches/fixes reduces or eliminates the possibility of system and data exploitation. The expected result of effective patch and vulnerability management is strong IT security and the prevention of system and data exploitation that leads to severe negative consequences for the organization and institution. 

II. PURPOSE

To establish a policy for removing security vulnerabilities from UMB systems by ensuring applicable and required security patches are applied in a timely manner.

III. SCOPE

This policy applies to all UMB owned systems and devices. 

IV. POLICY STATEMENT

A regular, ongoing process should be implemented and followed for applying patches to UMB owned systems and devices. Critical and high vulnerability patches and/or hotfixes that are reported by system vendors and/or from other trusted sources, e.g., the US-CERT (United States Computer Emergency Readiness Team), MITRE’s CVE (Common Vulnerabilities and Exposures), must be applied within 30 days of release unless there is a compelling reason why the patch cannot be applied in that timeframe. The UMB Security and Compliance team must be contacted if a patch cannot be applied within 30 days of release. The Security and Compliance team will review, assess, and document the situation and determine if a temporary exception can be approved. Medium vulnerabilities need to be patched as soon as possible.  

[back to top]