Overview

Macalester College is responsible for ensuring the confidentiality, integrity, and availability its data and that of community members stored on its systems. Macalester College has an obligation to provide appropriate protection against malware threats, such as viruses, Trojans, and worms which could adversely affect the security of the system or the data residing on the system. Effective implementation of this policy will limit the exposure and effect of common malware threats to the systems within this scope.

Purpose

This document describes the Information Technology Services (ITS) requirements for maintaining up-to-date operating system security patches on all Macalester College owned and managed workstations and servers.  

Scope

This policy applies to workstations or servers owned or managed by Macalester College. This includes systems that contain college or community member data owned or managed by Macalester College regardless of location. The following systems have been categorized according to management:

  • Linux and Microsoft Windows servers managed by Network Services Team
  • Workstations (desktops and laptops) managed by Client Services Team
  • Non-ITS servers and workstations owned by Macalester, but managed and maintained  through partnership and joint responsibility of  ITS and the controlling collegiate unit (e.g., academic department).  
    Note: All servers, whether owned and/or managed by Macalester College or not, that are deployed on the Macalester network must comply with the requirements of the Policy for Deployment of Network Servers.

Policy

Workstations and servers owned by Macalester College must have up-to-date operating system security patches installed to protect the asset from known vulnerabilities. This includes all laptops, desktops, servers and network devices owned and managed by Macalester College.  

Workstations

Client Services adheres to a rubric for updating the operating system patches of workstations (laptops, desktops) based on user roles and machine purpose. The rubric is intended to optimize patch installation in a manner that minimizes interruption to mission critical (e.g., instructional delivery) activities and may or may not employ automatic updating.  This is the default configuration for all workstations built by Macalester College.  See below for Exceptions.

Servers

Servers (including non-ITS) and network devices must comply with the minimum baseline requirements that have been approved by ITS Infrastructure. These minimum baseline requirements define the default operating system level, service pack, hotfix, and patch level required to ensure the security of the Macalester College asset and the data that resides on the system. See below for Exceptions.

Roles and Responsibilities

  • ITS Infrastructure will manage the patching needs for all servers and network devices on the network,

  • Client Services will manage the patching needs of all workstations on the network.

  • ITS is responsible for routinely assessing compliance with the patching policy and will provide guidance to all groups in issues of security and patch management.

Enforcement

Implementation and enforcement of this policy is ultimately the responsibility of all employees at Macalester College. ITS may conduct random assessments to ensure compliance with policy without notice. Any system found in violation of this policy shall require immediate corrective action. Violations shall be noted in the Macalester College issue tracking system and support teams shall be dispatched to remediate the issue. Repeated failures to follow policy may lead to disciplinary action.   

Exceptions

Exceptions to the patch management policy require formal documented approval from ITS Infrastructure. Any servers or workstations that do not comply with policy must have an approved exception on file with ITS.  Requests for exceptions should be made to ITS Associate Director for Infrastructure and Enterprise Application Services.

Definition of Terms

  • Patch: A piece of software designed to fix problems with or update a computer program or its supporting data.
  • Trojan: A class of computer threats (malware) that appears to perform a desirable function but in fact performs undisclosed malicious functions.
  • Virus: A computer program that can copy itself and infect a computer without the permission or knowledge of the owner.
  • Worm: A self-replicating computer program that uses a network to send copies of itself to other nodes.  May cause harm by consuming bandwidth.