Purpose

The purpose of the Patch Management Standard is to ensure that all networked ISU systems, applications, and network devices remain secure, stable, and compliant with regulatory requirements by implementing a structured approach to identifying, testing, deploying, and verifying patches.

This standard aligns with state and federal regulatory and contractual requirements as well as industry best practices to mitigate security vulnerabilities, reduce risks of threats, and maintain operational continuity, providing a structured approach to mitigate security risks and support the University's secure operational environment.

Scope

This standard applies to all firmware and software on systems owned or managed by or on behalf of the University ("systems"), including but not limited to servers, endpoints, and appliances. This standard is relevant to all University departments and units that manage, maintain, or use scoped systems including utilizing vendor management of these systems.

Scope Exemptions

This standard does not apply to systems with all network capabilities disabled or disconnected.

This standard does not apply to personal devices not managed by the University.

This standard is superseded by any patch or vulnerability that falls in scope of the Vulnerability Management Standard, the risk-based vulnerability response playbooks, or any active incident response engagement.

Standard

University teams and departments ("teams") or vendors managing systems within this standard's scope must meet the following criteria:

1. Systems must have an individual or team assigned responsibility for implementing and maintaining patch management whether automated or manually done.
2. Teams must maintain a documented inventory of system hardware and software under their patch management scope.
3. Teams must monitor industry patch resources and security advisories to identify patch availability.²
4. Systems must have an operating system or firmware installed that is supported by the vendor.
5. Devices must be registered and actively managed in one or more of the University device management systems¹ if supported by the client operating system and a device management system.
6. Systems must be configured to receive operating system security updates automatically where supported.
7. Endpoints⁴ must be configured to receive non-operating system software updates automatically where supported.
8. Patch testing procedures must be documented and followed.
9. Change processes must be documented and followed for patch installation.
10. Server³ security patch deployment must be initiated within 7 days of availability and completed within 30 days including any required reboots and patch validation.
11. Endpoint⁴ security patch deployment must be initiated within 7 days of availability and completed within 45 days including any required reboots and patch validation.
12. Teams must validate vendor-managed patching for ISU-owned systems.

Exceptions

While this standard is intended to apply comprehensively, there may be instances where certain systems or support teams are unable to meet the full requirements. In such cases, exceptions must be formally requested and reviewed.

Requests for exceptions must be submitted to the Information Security Office through the University’s ticketing system or by emailing informationsecurityoffice@ilstu.edu. Each request must include:

• The information technology team and functional business units associated with the exception request
• Systems and firmware/software affected by the exception
• A detailed use case explaining why the exception is necessary and what compensating security controls, if any, will be implemented

The Information Security Office will review all exception requests in accordance with the Information Security Program's exception management process. Approval will be granted only when it is determined that operational needs outweigh the security risks, and where appropriate compensating controls are in place to mitigate those risks. All approved exceptions will be documented, periodically reviewed, and may be subject to additional security monitoring.

Additional Information

Footnotes

The following information provides supporting information referenced in the other sections of this document:

1. Device management systems are systems designed to securely manage the configuration, deployment, and patching of managed client systems. Examples include Microsoft Endpoint Configuration Manager (MECM/SCCM), Jamf, Intune, Ansible, and more.
2. Monitoring for vendor patches can be done via a variety of mechanisms such as vendor announcements/advisories, subscribing to vendor emails, external party notices (CISA, CIS, etc.), vendor or industry forums, media publications, or direct engagement with vendor contacts.
3. Servers are systems that provide services to other systems including but not limited to server operating systems, appliances, hypervisors, networking equipment, databases, web applications, and more. All systems are classified as either a server or an endpoint.
4. Endpoints are systems that exclusively consume services from other systems including but not limited to desktops, laptops, tablets, mobile devices, and more. All systems are classified as either a server or an endpoint.

Roles & Responsibilities

Compliance

The Information Security Office will report on patch status to ensure compliance with this standard and University policies. Systems out of compliance with this standard or the University Security Program policy will be escalated for remediation planning, and continued noncompliance may result in systems being isolated on the University network with limited or restricted connectivity.

Supporting References

The following information provides supporting references that informed the development of this standard:

Appropriate Use Policy: https://policy.illinoisstate.edu/technology/9-2/

Information Security Program Policy: https://policy.illinoisstate.edu/technology/9-8/

Vulnerability Playbooks: High Risk Vulnerability Response Playbook Urgent Risk Vulnerability Response Playbook

NIST 800-40 Guide to Enterprise Patch Management: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r4.pdf

NIST 800-53 Security and Privacy Controls: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

CIS Controls v8.1: https://www.cisecurity.org/controls/v8-1

CIS Patch Management Standard: https://www.cisecurity.org/-/media/project/cisecurity/cisecurity/data/media/files/uploads/2020/06/Patch-Management-Standard.docx

CIS Control v8 Guidance

Illinois State University leverages the CIS Controls framework, validated through the CIS Community Defense Model, to ensure our cybersecurity measures effectively mitigate the most prevalent real-world threats, including those identified in the MITRE ATT&CK framework, thereby enhancing our defenses against known adversary behaviors.

1.1 Establish and Maintain Detailed Enterprise Asset Inventory: Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.

2.1 Establish and Maintain a Software Inventory: Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently.

7.3 Perform Automated Operating System Patch Management: Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.

7.4 Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.

7.7 Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process. 

9.1 Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.

12.1 Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.