Vulnerability and Patch Management Policy
Due to increasing cyber security threats and attacks, the campus has mandated the following Vulnerability and Patch Management Policy. It is everyone’s responsibility to ensure all university-owned computers, including laptops and work-from-home devices remain compliant with this policy. Computers that go long periods of time without connecting to the Internet and our management tools are at greater risk because they are not getting regular security updates. Therefore, the SOM Information Security Office, along with your departmental IT groups, will be implementing new enforcement actions regarding inactive computers to ensure compliance.
Beginning October 14, 2024, computers not adhering to the above expectation will be identified and a progressive remediation effort will be initiated. These remediation steps are outlined below:
- Step 1 – If a computer has not been observed as online in the last 14 consecutive days, the identified user of the computer will be contacted via email with a reminder to connect the device to the Internet for a minimum of 24 consecutive hours.
- Step 2 - If a computer has not been observed as online in the last 21 consecutive days, the identified user will be notified via email with a reminder to connect the computer to the Internet for a minimum of 24 consecutive hours and that the computer will have network access disabled if not connected within 7 days.
- Step 3 – If a computer has not been observed as online in the last 28 consecutive days, the computer will have network access disabled and a notification via email will be sent to the identified user requesting that they coordinate a time with their departmental IT support group to re-activate network connectivity and ensure security updates are installed.
- Step 4 - If a computer has not been observed as online in the last 60 consecutive days, the identified user of the device will be notified that they are required to return the device to their departmental IT support group.
Please understand that device vulnerabilities are a concern at the highest levels of the school and campus due to increasing threats.
Thank you for your cooperation in keeping our systems secure. If you have any questions, please reach out to the SOM Information Security Office at iso-alert@som.umaryland.edu
UMB Vulnerability and Patch Management Policy
I. OVERVIEW
Vulnerability and patch management is a security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. Proactively addressing vulnerabilities of UMB owned systems and devices through the application of security patches/fixes reduces or eliminates the possibility of system and data exploitation. The expected result of effective patch and vulnerability management is strong IT security and the prevention of system and data exploitation that leads to severe negative consequences for the organization and institution.
II. PURPOSE
To establish a policy for removing security vulnerabilities from UMB systems by ensuring applicable and required security patches are applied in a timely manner.
III. SCOPE
This policy applies to all UMB owned systems and devices.
IV. POLICY STATEMENT
A regular, ongoing process should be implemented and followed for applying patches to UMB owned systems and devices. Critical and high vulnerability patches and/or hotfixes that are reported by system vendors and/or from other trusted sources, e.g., the US-CERT (United States Computer Emergency Readiness Team), MITRE’s CVE (Common Vulnerabilities and Exposures), must be applied within 30 days of release unless there is a compelling reason why the patch cannot be applied in that timeframe. The UMB Security and Compliance team must be contacted if a patch cannot be applied within 30 days of release. The Security and Compliance team will review, assess, and document the situation and determine if a temporary exception can be approved. Medium vulnerabilities need to be patched as soon as possible.