11.2.10 Security Updates Policy

Proposed: 07/08/2015
Adopted: 08/07/2015
Last Reviewed: 07/31/2018
Effective: 08/07/2015

 

 

 

 

 

 

1.0 Overview

Almost daily new vulnerabilities are discovered in computer operating systems, network devices and application software. These vulnerabilities may be exploited by hackers and malicious logic. This exploitation may lead to loss of availability, confidentiality and integrity of data residing on the exploited systems as well as providing a launching point for exploitation of other Middle Georgia State University network computing resources.

2.0 Purpose

To develop a standard that will maintain system security patches with minimal effort.

3.0 Scope

This document covers all computer systems owned, operated or maintained by Middle Georgia State University and any third party computers connecting to Middle Georgia State University networks.

4.0 Policy

All computer systems connecting to Middle Georgia State University networks must be maintained with current security patches. This requirement specifically includes all LAN, WAN, Dial-up, VPN and Wireless access methods.

Standard

The Office of Technology Resources (OTR) is responsible for maintaining security patches on the workstations it supports. OTR may enable automatic software updates either locally or via a centrally managed software updates server to accomplish this task. When security patches are centrally managed, they will be tested on a small group of computers prior to being fully deployed.

Administrators of servers on the Middle Georgia State University network are responsible for maintaining security patches on their servers.

Personal computer owners who connect their computers to the Middle Georgia State University network are responsible for maintaining security patches on their computers. They must configure their computers to do one of the following in order of preference:

  • Automatically download the updates, and install them
  • Automatically notify the user of available updates

5.0 Enforcement

Active directory group policy will enforce automated update settings on Middle Georgia State University owned, operated or maintained computers running Windows 2003/XP/2008/7 or later.

Per the “Vulnerability Scan Policy”, systems will be audited periodically to ensure system administrators are maintaining security patches adequately.

Without notice, the Office on Network Administration may temporarily suspend or limit network connections or accounts of any user or system considered to be in violation of this policy until the violation is resolved.

The Office of Network Administration or the CIO must approve any waiver of these requirements.

6.0 Revision History

04/20/2006 - Original

04/18/2013 - Changed institution name to reflect consolidation

04/18/2013 - Removed configuration instructions for each operating system

08/04/2015 - Changed institution name to reflect University status