The objective of AU's policy for patching is:
This patch policy is important for the following groups of employees:
More than 90% of all successful attacks on IT systems succeed because the systems are not up-to-date and are therefore vulnerable to the attack. Today, attacks targeting known vulnerabilities have been automated, and the probability of being exposed to an attack is therefore significantly higher than just a few years ago.
At the same time, AU is increasingly being met by contractual requirements for updates from our partners. Particularly after the EU General Data Protection Regulation entered into force on 25 May 2018, we are facing ever more requirements for patching systems that process personal data within 48-72 hours with respect to critical vulnerability. Patch management is therefore a business-critical task and requires disciplined efforts.
In modern everyday life, everything is increasingly connected and it is important to focus on networked devices such as printers/photocopiers, surveillance cameras, NAS boxes, refrigerators, temperature gauges, etc. All these units constitute a potential threat if we fail to ensure that they are either up-to-date or inaccessible to unauthorised persons.
All units connected to a non-public/guest network (wireless or cabled) at Aarhus University are covered by this policy. However, the policy differentiates somewhat between different types of equipment.
The system owner, the system administrator, the employees responsible for research IT and the owners of networked units are responsible for ensuring that the equipment used is either patched or appropriately isolated. If you are using a PC that was installed by the local IT support team, the PC will usually be connected with automatic updating. Automatic updating may not be turned off without dispensation from the Central Information Security Committee (CISU).
You can also receive central updates on PCs and servers that you install and maintain yourself. If you want to receive such updates, contact your local IT support team.
Systems/units that are not patched and maintained constitute a security risk for the entire university.
AU IT therefore carries out regular vulnerability scans, both internal and external scans, and if a unit turns out to be vulnerable, the information security department will ensure that the necessary steps are taken to rectify this. Normally, this means that you will receive a request to update the equipment, but access will be closed immediately for critical vulnerabilities. The same applies if the unit in question is not updated in accordance with the agreement made in connection with a request.