RUL 08.00.14 – System and Software Security Patching Standard

Authority:  Issued by the Vice Chancellor for Information Technology

History: First Issued: September 24, 2015.

Related Policies:
REG 08.00.02 – Computer Use Regulation
REG 08.00.03 – Data Management Procedures

Additional References:
National Vulnerability Database (NVD) Common Vulnerability Scoring System (CVSS)
NIST Special Publication 800-40 rev. 3,  Guide to Enterprise Patch Management Technologies
NIST Special Publication 800-53 rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations
Data Categories, Trustees, Stewards and CustodiansDetermining Sensitivity Levels for Shared Data
Appendix A: Mapping CVSS Score and Current Vulnerability Scanning System (Nexpose) Severity to NC State’s Ranking

Contact Info:  Director of Security & Compliance, Office of Information Technology (919-513-1194)

  1. Audience & Responsibility

The standard applies to Data Trustees, Data Stewards, and/or Data Custodians, and their delegates (including information systems development and support personnel, LAN admins/LANTechs, system administrators, database administrators, etc.), who are typically responsible for its implementation.

  1. Purpose

2.1  The purpose of this Rule is to outline the minimum requirements for applying security patches, updates and fixes (“patches”) to information system components including but not limited to firmware and BIOSes, operating systems, applications, and services connected to NC State’s network, or used to process, store, or transmit NC State’s data.

2.2  NC State University REG 08.00.02 – Computer Use Regulation requires authorized users to take appropriate security precautions to protect and secure data residing in or on assigned university accounts or other university and non-university IT Resources. IT Resources include, but are not limited to, University machines, systems or storage devices, or non-university machines, systems or storage devices that may contain the University’s records/data. In order to comply with REG 08.00.02-Computer Use Regulation and ensure appropriate security protections are in place, NC State University has adopted the following Rule which all users, System Administrators, Data Trustees, Data Stewards, and/or Data Custodians (including third party service providers) are required to follow.

2.3  Consequences for non-compliance may include, but not be limited to: device quarantine, disconnection from the network, or denial of access to or from applications or services.

  1. Scope

This Rule applies to all information system components connected to NC State’s network, or used to process, store, or transmit NC State’s data.

  1. Implementation Timeline

It is recommended that implementation begin immediately. Enforcement dates are indicated below.

Table 1. Implementation Timeline
Data Environment Enforcement Date
Cardholder Data Environment (CDE) and connected system components October 31, 2015
* Other sensitive (red, or purple) data environments (SDEs) and connected system components December 31, 2016
All other systems connected to NC State network October 31, 2017
* See http://oit.ncsu.edu/security-standards-compliance/determine-sensitivity for information on data sensitivity levels
  1. Risk Ranking

5.1 NC State currently uses the National Vulnerability Database (NVD) Common Vulnerability Scoring System (CVSS), referenced above,  to determine risk ranking for security-related software patches, updates, and fixes.

5.2 CVSS assigns the following qualitative severity rankings to vulnerabilities associated with security-related patches:

5.2.1 Low (CVSS 0.0-3.9)

5.2.2 Medium (CVSS 4.0-6.9)

5.2.3 High (CVSS 7.0-10.0)

5.3 Security patches self-designated as the highest level of criticality by a vendor must be treated as a High risk regardless of the CVSS score if the patch applies to NC State system components.

  1. Security Patching Schedule
Schedule for Applying Security Patches
Cardholder Data Environment (CDE) or Connected Systems per PCI- DSS Other Sensitive Data Environment or Connected Systems Non-sensitive Data Environments
Available High/Medium security patches must be applied to system components Prior to initial installation into the production environment Prior to initial installation into the production environment Prior to initial installation into the production environment
High security patches must be applied Within 30 calendar days of the vendor’s release date Within 30 calendar days of the vendor’s release date Within 30 calendar days of the vendor’s release date
Medium security patches must be applied Within 30 calendar days of the vendor’s release date Within 60 calendar days of the vendor’s release date Within 180 calendar days of the vendor’s release date
Low security patches must be applied Within 90 calendar days of the vendor’s release date Within 365 calendar days of the vendor’s release date Within 365 calendar days of the vendor’s release date
Non-Security Patching Schedule: Non-security patches should be applied based on identified risk to NC State University (e.g. loss of availability or degraded performance of system components).
  1. Automatic Patching

Automatic security patching is strongly recommended. However, a risk assessment should be performed to address potential negative impact to performance and availability of services the system supports.

  1. Rollback Process

When applying patches to critical and sensitive information system components, system administrators should create rollback procedures as appropriate.

  1. Software Unable to be Secured

Software that is unable to be secured because it is outdated or unsupported must be replaced or removed from the NC State network unless an approved exception has been obtained. See Section 11 below for an explanation of the exception process.

  1. Compliance Assessment and Validation

OIT Security and Compliance is responsible for validating compliance to this standard. Compliance will be validated on an ongoing basis using a number of methods, including but not limited to interviews and automated security vulnerability scanning tools.

  1. Exceptions to Security Patching Standard

OIT Security and Compliance will assess the risk, assist in identifying alternate compensating controls, and communicate recommendations to the requesting party as well as applicable Data Stewards, (see http://oit.ncsu.edu/security-standards-compliance/data-categories-personnel#Steward).  Exception requests should clearly document the justification for the exception and compensating controls that will be implemented to mitigate the risk associated with the delay in applying patches. Contact Security and Compliance to submit requests for exceptions to the NCSU Software Patching Standard. The Vice Chancellor for IT & CIO or their delegate will make the final decision for an exception.