PURPOSE:
This Patch Management Policy establishes the standards and procedures for managing and applying security patches and updates to Idaho College of Osteopathic Medicine (ICOM) information systems and software. The purpose of this policy is to minimize vulnerabilities, protect institutional assets from exploitation, ensure system stability, and maintain compliance with relevant security standards and regulations. Effective patch management is a critical security control for reducing the risk of cyberattacks, data breaches, and system disruptions. This policy applies to all systems and software within the institution's environment, including on-premises systems and cloud-based services (including SaaS applications, to the extent applicable).
SCOPE:
This policy applies to all information systems, network devices, and software owned, leased, or managed by ICOM, including but not limited to:
- Servers (physical and virtual)
- Workstations and laptops
- Mobile devices (to the extent that patching is managed by the institution – e.g., institutionally owned devices, MDM-managed devices)
- Network infrastructure devices (routers, switches, firewalls)
- Operating systems
- Applications (institutionally managed applications)
- Firmware
- SaaS Applications (addressing vendor patch responsibility and institutional verification)
This policy applies to all individuals responsible for managing, maintaining, or using these systems and software, including but not limited to:
- IT Department
- System Administrators
- Departmental IT Support Staff
- SaaS Application Administrators (regarding vendor patching verification)
- Users (regarding awareness of patching and potential system impacts)
DEFINITIONS:
- Critical Patch/Emergency Patch: A software patch or update that addresses a critical security vulnerability that is actively being exploited or poses an immediate and significant risk to systems and data. Critical patches require expedited deployment.
- Patch (Software Patch/Security Patch): A software update intended to fix a specific problem, improve security, or enhance functionality in a software application or operating system. Security patches are specifically designed to address security vulnerabilities.
- Patch Management: The process of systematically identifying, acquiring, testing, and deploying software patches and updates to maintain system security, stability, and performance.
- SaaS Application (Software as a Service): A software delivery model in which software is hosted by a vendor and made available to customers over a network, typically the internet, usually on a subscription basis.
- Vulnerability: A weakness in a system, software, or hardware that could be exploited by a threat actor to gain unauthorized access, cause harm, or compromise confidentiality, integrity, or availability.
- Vulnerability Scanning: The process of using automated tools to identify security vulnerabilities in systems, networks, and applications.
- Zero-Day Vulnerability: A software vulnerability that is publicly disclosed or actively being exploited before a patch is available from the vendor.
- Firmware: A specific class of computer software that provides the low-level control for the device's specific hardware. Firmware updates often include security patches and performance improvements for hardware devices.
- Maintenance Window: A designated period of time, typically outside of normal business hours, during which system maintenance activities, such as patch deployments, are performed to minimize disruption to users.
- Rollback Plan: A documented procedure outlining the steps to revert a system or application to its previous state in the event that a patch deployment causes unforeseen issues or instability.
- Security Advisory: A public notification issued by a software or hardware vendor to inform users about a newly discovered security vulnerability and to provide information about available patches or mitigation strategies.
POLICY:
Vulnerability Monitoring and Patch Identification: The IT Department will establish and maintain processes for proactively monitoring for security vulnerabilities and identifying available patches and updates for all systems and software within the scope of this policy. This includes:
- Subscribing to security vulnerability information feeds and vendor security advisories.
- Regularly scanning systems for vulnerabilities using vulnerability scanning tools.
- Monitoring for zero-day vulnerabilities and critical security alerts.
- Tracking software and hardware inventory to ensure all assets are covered by patch management processes.
Patch Evaluation and Testing: Before widespread deployment on applicable systems, patches and updates must be evaluated and tested to assess their potential impact on system stability, functionality, and compatibility. Testing procedures will include:
- Reviewing vendor-provided patch documentation and release notes.
- Testing patches in a non-production or test environment that mirrors the production environment as closely as possible.
- Testing critical applications and services after patch application to verify functionality.
- Developing rollback plans in case patch deployment causes unforeseen issues.
Timely Patch Deployment: Security patches and updates must be deployed in a timely manner, based on the criticality of the vulnerability and the potential risk to the institution. Patch deployment timelines will be prioritized as follows:
- Critical/Emergency Patches: Patches addressing critical vulnerabilities that are actively being exploited or pose an immediate and significant risk must be deployed as rapidly as possible, ideally within 24-72 hours of vendor release or vulnerability disclosure, following expedited testing procedures.
- High Priority Patches: Patches addressing high-severity vulnerabilities should be deployed within 1-2 weeks of vendor release, following standard testing procedures.
- Moderate and Low Priority Patches: Patches addressing moderate and low-severity vulnerabilities should be deployed within 30-90 days of vendor release, as part of regular maintenance cycles.
Patch Deployment Procedures: Patch deployment must be performed in a controlled and documented manner, following established procedures to minimize disruptions and ensure consistency. Patch deployment procedures will include:
- Scheduling patch deployments during established maintenance windows whenever possible to minimize user impact.
- Communicating planned maintenance windows and potential service disruptions to users in advance.
- Utilizing automated patch deployment tools where feasible to streamline the patching process and ensure consistency.
- Documenting all patch deployments, including patch details, systems patched, deployment date, and any issues encountered.
- Maintaining a record of exceptions to patching and the justification for each exception.
Verification of Patch Deployment: After patch deployment, systems must be verified to confirm that patches have been successfully installed and that vulnerabilities have been remediated. Verification methods may include:
- Utilizing vulnerability scanning tools to rescan patched systems and confirm vulnerability remediation.
- Reviewing system logs and patch management tool reports to verify successful patch installation.
- Manual verification for systems where automated verification is not feasible.
Patch Management for SaaS Applications: Recognizing that patch management for SaaS applications is primarily the responsibility of the SaaS vendor, the institution will:
- Vendor Due Diligence: As part of SaaS vendor selection and ongoing vendor management, evaluate and verify the vendor's patch management practices, security update policies, and vulnerability response procedures, following guidelines and procedure set out in the Third-Party Vendor Management Policy.
- Vendor Patching Transparency: Request and review documentation from SaaS vendors regarding their patch release schedules, security update notifications, and vulnerability remediation timelines.
- Institutional Verification (Where Possible): Where feasible and provided by the vendor, utilize vendor provided dashboards or reporting mechanisms to verify the patch status and security update levels of the institution's SaaS application instances.
- Assume Shared Responsibility: Recognize that while SaaS vendors handle infrastructure patching, the institution retains responsibility for securing user access to SaaS applications and managing data within SaaS environments, even if patching is vendor-managed.
Exceptions to Patching: Exceptions to immediate patch deployment may be granted in limited circumstances where immediate patching could cause significant operational disruption or system incompatibility. Exceptions must be:
- Formally requested and documented with clear justification, including a risk assessment.
- Approved by the Chief Information Officer.
- Subject to compensating security controls to mitigate the risk of delayed patching.
- Reviewed and re-evaluated regularly to determine when patching can be implemented.
Emergency Patching: In the event of critical vulnerabilities being actively exploited, or under emergency circumstances, expedited patch deployment procedures will be followed to rapidly deploy necessary patches with minimal testing, prioritizing speed of remediation over standard testing timelines. Emergency patching will be coordinated by the IT Department, with communication to relevant stakeholders as needed.
ENFORCEMENT:
Enforcement of this Patch Management Policy is the responsibility of all managers, supervisors, IT administrators, system administrators, security administrators, and users, under the overall direction of the Chief Information Officer. Failure to adhere to patch management procedures, neglecting timely patching of critical vulnerabilities, or other policy violations may result in disciplinary actions, up to and including warnings, suspension of system access, and termination of employment or access privileges, and potential legal or financial consequences, particularly in cases of negligence leading to security breaches. The Information Technology Office will monitor compliance with this policy, track patch deployment status, and investigate reported violations or patching deficiencies.
POLICY REVIEW AND UPDATES:
This Patch Management Policy and associated procedures will be reviewed and updated at least annually, or as needed to reflect changes in technology, vulnerability landscape, patching best practices, regulations, institutional risk assessments, or business needs. The Chief Information Officer is responsible for coordinating policy reviews and updates, in consultation with the IT Department and relevant stakeholders.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 7/8/25
Last Reviewed: 7/8/25
Review Requirement: Annual