Versin: Mdified By: Date: Apprved By: Date: 1.0 Michael Hawkins Octber 29, 2013 Dan Bwden Nvember 2013 Rule 4-004J Payment Card Industry (PCI) Patch Management (prpsed) 01.1 Purpse The purpse f the Patch Management Rule is t ensure that infrmatin abut vulnerabilities and threats t the University f Utah s ( University ) PCI systems and resurces are btained and evaluated, and apprpriate measures taken t address the risks thrugh the applicatin f system patches. 01.2 Scpe The Patch Management Rule applies t all PCI systems and resurces cnnected t the University s netwrk. This includes netwrk devices, servers, perating systems, desktps, laptps, applicatins and prgrams. 01.3 Rule Statement The Infrmatin Security Office shall crdinate with IT supprt prfessinals t implement a patch management prgram t systematically manage vulnerabilities and threats t the University s infrmatin systems and resurces, and ensure all related patches are installed in a timely manner. 01.4 Patch Management fr PCI Systems Area Statement: The Infrmatin Security Office shall reprt t University leadership the security psture relative t University infrmatin systems and resurces having relevant and apprved security patches are installed, as they becme available based n system criticality and risk. Apprved patches may have t be determined n a system-by-system basis with applicatin vendrs, IT supprt prfessinals, and Infrmatin Security crdinatin. 01.4.01 Testing Patches All security-related patches, fixes and updates develped by in-huse develpers r prvided by vendrs, user assciatins and ther trusted third parties shall be tested by the University's IT Prfessinals/Administratrs prir t implementatin. [Ref: CS171, PCI] The IT Administratr shall perfrm, crdinate and supprt patching f systems. Specific respnsibilities shall include:
Mnitring vendr and gvernment vulnerability alerts, web sites, and mailing lists. Als cnsideratin shuld be given t subscribing t cmmercial vulnerability services that culd prvide the University with an early warning t ptential vulnerabilities and threats. Wrking with apprpriate system vendrs t respnd t system-specific security prblems and cncerns (i.e., perating system patches) Testing patches, fixes and wrkarunds, prir t distributin t IT prfessinals/administratrs Ntifying resurce administratrs f vulnerabilities as they are identified Prviding technical assistance t IT prfessinals/administratrs during the patch implementatin prcess Mnitring via autmated mechanisms, the patch implementatin prcess t ensure patches are being laded identifying, develping, purchasing and/r distributing security assessment tls 01.4.02 Installatin f Patches Resurce administratrs are respnsible fr installing available patches n the infrmatin resurces under their cntrl in a timely fashin. Security patches relevant t the prtectin f Restricted r Sensitive infrmatin (i.e. cardhlder infrmatin) shall be installed within ne mnth f release. [Ref: CS493, PCI] [Rules] Resurce administratrs shuld use the fllwing prcess t ensure that patches d nt cmprmise the security f the infrmatin systems being patched: Obtain the patch frm a knwn, trusted surce Verify the integrity f the patch thrugh such means as cmparisns f cryptgraphic hashes t ensure the patch btained is the crrect, unaltered patch Apply the patch t an islated test system and verify that the patch Is cmpatible with ther sftware used n systems t which the patch will be applied Des nt alter the system's security psture in unexpected ways, such as altering lg settings Crrects the pertinent vulnerability Backup prductin systems prir t applying the patch Apply the patch t prductin systems using secure methds, and update the cryptgraphic checksums f key files as well as that system's sftware archive
Test the resulting system fr knwn vulnerabilities Update the master cnfiguratins used t build new systems Create and dcument an audit trail f all changes Seek additinal expertise as necessary t maintain a secure cmputing envirnment Install updates autmatically withut individual user interventin Emply autmated mechanisms t make security alert and advisry infrmatin available thrughut the rganizatin If a patch, fix r service pack cannt be applied because it damages ther applicatins n the system, the risk psed by the unpatched vulnerability shuld be dcumented and the Infrmatin Security Office and the Infrmatin Owner shuld be ntified. When infrmatin systems are knwn t have vulnerabilities and cannt be patched, cmpensating cntrls shall be implemented t mitigate the risk. 01.4.03 Testing Infrmatin Systems After perating systems changes (e.g., patches, upgrades, r new versins), applicatins and supprt prcesses shall be reviewed and tested including: applicatin cntrl and integrity prcedures; supprt and develpment plans fr perating system changes; prper ntificatin f changes t user cmmunity, and updates t any applicable business cntinuity plans and/r recvery prcesses. [Ref: CS844, PCI] 01.4.05 Vulnerability Management Prcesses The Infrmatin Security Office shall ensure that vulnerability assessments are cnducted fr the University s infrmatin systems and resurces that include vulnerability scans that are cnducted at least mnthly. Vulnerability remediatin effrts, including patch implementatins, shall be crdinated and prcessed accrding t the University s change management prcess (refer t the Change Management Plicy). This includes meeting all testing and/r dcumentatin requirements. Technical vulnerabilities, including vendr supplied patches, shall be classified using the fllwing rating system. [Operatinal grups] shall remediate technical vulnerabilities r install patches using the fllwing [schedules]: [Ref: CS845, PCI] Immediate: This classificatin applies t threats that are actively impacting the envirnment. Patches classified as immediate will be implemented withut delay using emergency change cntrl prcedures. Critical: Critical patches are tp pririty fr implementatin because there are active knwn cde and/r prcess issues related t the sftware. Critical patches shuld be implemented within 36 hurs using emergency change cntrl prcedures. Imprtant: Imprtant Patches are t be implemented upn first available nrmal peratinal
pprtunities. These patches have n existing negative impacts n perating results. Imprtant patches will be implemented within seven (7) days using nrmal change cntrl prcedures. Operatinal: Operatinal patches are t be implemented upn the next peratinal patch prmtin schedule. This classificatin is fr enhancement patches that imprve peratins, but are nt required fr fixing inaccurate data r prcess results. Operatinal patches will nrmally be implemented within 30 days using nrmal change cntrl prcedures. The Infrmatin Security Office shall be respnsible fr maintaining the dcumentatin f the analysis prduced by the technical vulnerability management prcesses, and is als respnsible fr escalating r de-escalating vulnerability classificatins and cmmunicating changes, as apprpriate. The Infrmatin Security Office and UIT shall be respnsible fr develping prcesses fr asset management, classificatin and priritizatin f systems in supprt f the technical vulnerability management prcesses. This includes a detailed asset inventry with apprpriate dcumentatin t facilitate priritizatin and implementatin f vulnerability remediatin activities and the applicatin f patched. The Infrmatin Security Office shall ensure that baseline cnfiguratin is dcumented and maintained fr the University s infrmatin systems and resurces. The vulnerability and patch management prcesses shall be reviewed n an annual basis. 01.5 Cntacts A. Plicy Owner: Questins abut this rule shuld be directed t the CISO, 801-213-3397 IT_plicy@utah.edu B. Plicy Officer: Only the CIO, 801-581-3100, has the authrity t grant exceptins t this rule. 01.6 References A. Plicy 4-002: Infrmatin Resurces Plicy B. Plicy 4-004: University f Utah Infrmatin Security Plicy C. Data Classificatin Mdel 01.7 Plicy Meta-Data A. Plicy Owner B. Audience C. Status D. Published Date E. Effective Date F. Next Review Date
01.8 Revisin Histry