Policy for patching (A.12.5.1)

On this page you will find the current policy for security updates of AU systems and devices to ensure that they do not pose a security risk to the entire university.


Objective

The objective of AU's policy for patching is:

  • to secure implementation of procedures to control the installation of software on operational systems

Target group

This patch policy is important for the following groups of employees:

  • System owners and others who have formal ownership of a machine they use in their work
  • Operations personnel at AU IT, system administrators in particular
  • Researchers responsible for research IT systems
  • Owners of networked units (including Internet of Things (IOT) units) in the AU network

Why is this important?

More than 90% of all successful attacks on IT systems succeed because the systems are not up-to-date and are therefore vulnerable to the attack. Today, attacks targeting known vulnerabilities have been automated, and the probability of being exposed to an attack is therefore significantly higher than just a few years ago.

At the same time, AU is increasingly being met by contractual requirements for updates from our partners. Particularly after the EU General Data Protection Regulation entered into force on 25 May 2018, we are facing ever more requirements for patching systems that process personal data within 48-72 hours with respect to critical vulnerability. Patch management is therefore a business-critical task and requires disciplined efforts.

In modern everyday life, everything is increasingly connected and it is important to focus on networked devices such as printers/photocopiers, surveillance cameras, NAS boxes, refrigerators, temperature gauges, etc. All these units constitute a potential threat if we fail to ensure that they are either up-to-date or inaccessible to unauthorised persons.

What is covered?

All units connected to a non-public/guest network (wireless or cabled) at Aarhus University are covered by this policy. However, the policy differentiates somewhat between different types of equipment.

The patch policy for client machines, and equipment in client networks

  1. Critical patches must be installed within 72 hours. (The system owner/system manager responsible for the specific IT workplace determines whether a patch is critical in consultation with the information security department).
  2. Other patches must be installed as quickly as possible and by no later than within 14 days.
  3. Feature updates, e.g. for Windows 10, must be installed at a frequency ensuring that client machines are always supported by new security updates, etc.
  4. Equipment that is no longer supported/covered by security updates must either be:
    1. scrapped
    2. replaced or
    3. isolated on another network

Patch policy for servers located in a protected data centre

  1. Critical patches must be tested and installed as quickly as possible. (The system owner/system manager determines whether a patch is critical in consultation with the information security department).
  2. Other patches should be tested and installed as quickly as possible, but may be postponed to the next service window based on a risk assessment.
  3. Equipment that is no longer supported/covered by security updates must either be:
    1. scrapped
    2. replaced/upgraded or
    3. Isolated
      1. The equipment must not be accessible via the Internet and must not be used to access the Internet.
      2. The equipment must be isolated on the network, so that there is no access to other critical equipment (micro segmentation).
      3. Dispensation is required if the equipment is not scrapped or replaced/upgraded.

Patch policy for equipment on laboratory networks

  1. Critical patches must be tested and installed as quickly as possible.
  2. Other patches should be tested and installed as quickly as possible, but may be postponed by up to six months based on a risk assessment.
  3. The only valid reasons for keeping older, non-patched equipment are (require dispensation):
    1. If the equipment is needed to run other equipment or devices – for example a PC used to control equipment that requires older equipment because of software dependencies, plug-in cards, etc.
    2. If upgrading the equipment to a more modern version is (disproportionately) expensive. DKK (xxx)xxxxx.
    3. If the equipment cannot be patched/updated/replaced, in which case the equipment must be isolated as best as possible.
      1. The equipment must not be on the network if data may be collected and transferred in another way.
      2. The equipment must not be accessible via the Internet and must not be used to access the Internet.
      3. The equipment must be isolated on the network, so that there is no access to other critical equipment (micro segmentation).
      4. Servers/PCs for research use may only be used as laboratory machines, i.e. to control equipment. They must not be used as primary or as additional work/client machines.

Patch policy for other equipment

  1. Critical patches must be tested and installed as quickly as possible.
  2. Other patches should be tested and installed as quickly as possible, but may be postponed by up to six months based on a risk assessment.
  3. If the equipment cannot be patched/updated/replaced, the equipment must be isolated as best as possible.
    1. The equipment must not be on the network if data may be collected and transferred in another way.
    2. The equipment must not be accessible via the Internet and must not be used to access the Internet.
    3. The equipment must be isolated on the network, either on dedicated networks or through micro segmentation, so that there is no access to other critical equipment.
    4. Equipment that is no longer covered by security updates cannot be a part of the joint UNI AD and the joint management.

Responsibilities

The system owner, the system administrator, the employees responsible for research IT and the owners of networked units are responsible for ensuring that the equipment used is either patched or appropriately isolated. If you are using a PC that was installed by the local IT support team, the PC will usually be connected with automatic updating. Automatic updating may not be turned off without dispensation from the Central Information Security Committee (CISU).

You can also receive central updates on PCs and servers that you install and maintain yourself. If you want to receive such updates, contact your local IT support team.

If units are not patched

Systems/units that are not patched and maintained constitute a security risk for the entire university.

AU IT therefore carries out regular vulnerability scans, both internal and external scans, and if a unit turns out to be vulnerable, the information security department will ensure that the necessary steps are taken to rectify this. Normally, this means that you will receive a request to update the equipment, but access will be closed immediately for critical vulnerabilities. The same applies if the unit in question is not updated in accordance with the agreement made in connection with a request.