IT Software Update Management Policy
- Version 1.0
- Date of next review:
- Last updated:
- Download this document (Word, 40.9 KB)
Queries
For queries on this policy, contact IT Support:
- Email: it-support@cardiff.ac.uk
- Tel: 029 2251 1111 (ext. 11111 internally)
Purpose and scope
This policy outlines the expectations and approach to ensure software and firmware security updates are well managed to remediate issues promptly and consistently, to ensure the University can satisfy relevant cyber and information security standards.
Software support assures that a vendor has committed to providing regular software updates. The expectation is that vendors specify a future date when these updates will cease.
Functional updates and patches introduce new features and functionality, often setting a baseline for the version of software eligible to receive regular updates.
Security updates and patches rectify security issues in software and firmware. Effective implementation of patch management will limit the exposure and effect of common cyber threats to systems within scope.
This policy applies to all devices capable of receiving software updates, including operating systems, applications, embedded systems, Internet of Things, and firmware. Personally owned (bring your own) devices/systems are beyond the scope of this policy and shall be managed in accordance with the IT Regulations.
This policy applies to all University-provided systems accessing, or capable of accessing, University Information, including Teaching and Learning, Research, and Professional Services.
Related policies and procedures
This policy forms part of the Information Security Framework and should be read in conjunction with the Information Security Policy and all supporting policies.
The IT Regulations outline general expectations for maintaining confidentiality, integrity, and availability of IT systems.
The University IT Acceptable Use outlines the basis for use of IT Facilities and software management. The approach to software update management shall comply with the University IT Regulations and IT Acceptable Use Policy.
The IT Monitoring Notice outlines the basis and approach to monitoring of network traffic and IT system use.
Policy
- All devices and systems shall be managed and maintained to ensure they receive software updates. This position shall be determined by the software vendor specifying a future date when these updates will cease.
- Where a vendor does not clearly state that software updates will be available, a risk assessment must be made to consider whether the software is appropriate for use. Factors include observations based on previous releases, activity such as code commits, and community engagement.
- Patches will be managed using a risk-based approach to enable prioritisation based on potential impact. Priority will be determined by the severity of vulnerability, available access methods, and sensitivity of information held.
- Severity will be rated using the Common Vulnerability Scoring System (CVSS).
- Patches are to be applied on a priority basis within 14 days where the patch fixes a vulnerability with a severity that the CVSS or product vendor describes as ‘critical’ or ‘high’ risk.
- All devices and systems should be patched within 30 days of an update being released, where the patch fixes a vulnerability with a severity the product vendor describes as ‘high’.
- Devices and systems which are no longer capable of receiving security updates, including specialised laboratory equipment, must be assessed at the point at which security updates cease to be available.
- A risk assessment, conducted in collaboration with University IT, is required to evaluate the potential threats that insufficient security maintenance could pose to the University network. Mitigation measures should be identified and executed. Where risks cannot be entirely mitigated, they must be escalated to the Chief Digital and Information Officer for a decision based on the University’s risk tolerance. Any risks that remain unmitigated require a periodic review.
- Where it is not possible to address a known vulnerability, the risk shall be formally recorded for review by the College Registrars, Heads of School, and Directors of Professional Services, as appropriate, and raised to the Chief Digital and Information Officer at the earliest opportunity. All patching must follow the University IT Change processes.
- The Chief Digital and Information Officer or their nominated delegate shall have the authority to agree to exceptions to the requirements of this policy.
Roles and responsibilities
The Chief Digital and Information Officer is the sponsor for this policy, and is responsible for approving the need to develop or substantively amend the policy, for presenting the final draft to the approving body and for ensuring that their policy-making documents comply with, and are monitored and reviewed in line with the Cardiff University Policy for the Development of Policy-making Documents.
The Senior Information Risk Owner (SIRO) is responsible for all information risks and sets the acceptable level of risk of the University’s information estate.
The Chief Digital and Information Officer or nominated deputy has responsibility for ensuring the policy is applied, to ensure proper management and security of the University infrastructure, devices and systems provided internally or by its service providers; additionally, delegated responsibility to impose sanctions on devices and systems for non-compliance with this standard is granted.
College Registrars, Heads of School, and Directors of Professional Services have the responsibility to ensure that any non-University IT Services, managed devices, and systems that are in operation within their areas of responsibility (inclusive of any services supplied by a service provider) operate in accordance with this policy.
It shall be the responsibility of every individual managing devices and systems covered by this policy to ensure that software is managed and that vulnerabilities are remediated, and to seek clarification or advice from a line manager or University IT where they are unsure as to how to redress an issue.
University IT have responsibility for monitoring software updates and reporting compliance against this policy to the University Information Security Oversight Group (ISOG). Escalations in terms of exceptions and sanctions will be raised to the Chief Digital and Information Officer for a decision.
Monitoring and review
This policy shall be reviewed every three years, or as and when required.
Exceptions to this policy shall be reviewed annually to ensure that they remain applicable and appropriate.
The volume of software with critical and high vulnerabilities identified through scans of the network, and plans to resolve them, will be monitored by the Cyber Security Operations Group in University IT.
Breaches of this policy may be treated as a disciplinary matter, dealt with under the University’s staff disciplinary procedure or the student disciplinary procedure as appropriate.
Document control table
| Document title: | IT Software Update Management Policy |
|---|---|
| Author(s): | Owen Hadall, Director of IT, University IT. |
| Version number: | 1.0 |
| Date of next review: | July 2028 |