Patch Implementation Guidelines

 

Purpose: To provide specific guidelines for the implementation of security patches based on the severity of the vulnerability.

Patches should be implemented according to the following timeframes:

CVSS Score

Priority

Timeframe

≥  or ≤ 10

1

2 Weeks

≥ and < 7

2

4 Weeks

≥ and < 5

3

3 Months

0 > and < 3

4

Discretionary

 

These priorities are based on the NVD Common Vulnerability Scoring System (CVSS). Individuals can subscribe to the NVD Weekly Summary RSS feed here.

Exceptions: Patch implementation processes should take into consideration the need for testing and the potential impact to the operations of the University. If a system is unable to be patched according to these timeframes, a standard exception should be requested.