New Rule 08.00.14: System and Software Security Patching Standard

Rationale: Security patching is one of, if not the best, weapon against security breaches. Mandatory patching of systems and software will reduce the risk of exposure of valuable university information assets and assure regulatory compliance.
Review Process:
_09/24/2015_ Vice Chancellor for Information Technology & CIO authorizes transmittal of PRR for review
See Below [Relevant NCSU administrative body] recommends (see below)
See Below [Relevant NCSU committee or other body] recommends (see below)
9/24/15 General Counsel final review
10/13/15 EOM FYI
1/12/16 University Council Notification
NA Board of Trustees (approval/notification), if applicable
Review Process - IT Governance Structure
Committee Name / Anticipated Date of Review / Date of 1st Review / Date of 2nd Review
Security & Compliance / May 29, 2015 / May 29, 2015 / N/A
OIT Managers / May 29, 2015
EAS - June 22, 2015 / May 29, 2015 / EAS & Shared Services - August 21, 2015
SCGS Security Technology Working Group / July 16, 2015 / July 16, 2015 / N/A
SCGS Policy & Compliance Working Group / May 28, 2015 / July 23, 2015
SCGS Implementation Strategy Working Group / N/A / N/A / N/A
SCGS / June 4, 2015 / August 6, 2015
Realm Linux Svcs. Committee / August 14, 2015 / August 14, 2015 / N/A
AD Policy / August 21, 2015 / August 21, 2015 / N/A
Mac Policy / August 11, 2015 / August 11, 2015 / N/A
ITSAC-EAS / August 5, 2015 / September 3, 2015 / N/A
ITSAC-CAS / August 6, 2015 / August 6, 2015 / N/A
ITSAC-Infrastructure / August 25, 2015 / August 25, 2015 / N/A
ITSAC-Academic Technology / September 3, 2015 / N/A / N/A
ITSAC-Research Computing / N/A / N/A / N/A
CITD / September 15, 2015 / September 15, 2015 / N/A
ITSAC / September 21, 2015 / September 21, 2015 / N/A
Authority: Issued by______. Changes or exceptions to administrative regulations issued by the ______may only be made by the ______.
History: First Issued: ______, 20___. Last Revised: ______.
Related Policies:
REG 08.00.02 - Computer Use Regulation
REG 08.00.03 - Data Management Procedures
Additional References:
National Vulnerability Database (NVD) Common Vulnerability Scoring System (CVSS)
NIST Special Publication 800-40 rev. 3, Guide to Enterprise Patch Management Technologies
NIST Special Publication 800-53 rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations
Data Categories, Trustees, Stewards and Custodians
Determining Sensitivity Levels for Shared Data
Appendix A: Mapping CVSS Score and Current Vulnerability Scanning System (Nexpose) Severity to NC State’s Ranking
Contact Info: Director of Security & Compliance, Office of Information Technology (919-513-1194)

1. Audience & Responsibility

The standard applies to Data Trustees, Data Stewards, and/or Data Custodians, and their delegates (including information systems development and support personnel, LAN admins/LANTechs, system administrators, database administrators, etc.), who are typically responsible for its implementation.

2. Purpose

The purpose of this Rule is to outline the minimum requirements for applying security patches, updates and fixes (“patches”) to information system components including but not limited to firmware and BIOSes, operating systems, applications, and services connected to NC State’s network, or used to process, store, or transmit NC State’s data.

NC State University REG 08.00.02 - Computer Use Regulation requires authorized users to take appropriate security precautions to protect and secure data residing in or on assigned university accounts or other university and non-university IT Resources. IT Resources include, but are not limited to, University machines, systems or storage devices, or non-university machines, systems or storage devices that may contain the University’s records/data. In order to comply with REG 08.00.02-Computer Use Regulation and ensure appropriate security protections are in place, NC State University has adopted the following Rule which all users, System Administrators, Data Trustees, Data Stewards, and/or Data Custodians (including third party service providers) are required to follow.

Consequences for non-compliance may include, but not be limited to: device quarantine, disconnection from the network, or denial of access to or from applications or services.

3. Scope

This Rule applies to all information system components connected to NC State’s network, or used to process, store, or transmit NC State’s data.

4. Implementation Timeline

It is recommended that implementation begin immediately. Enforcement dates are indicated below.

Table 1. Implementation Timeline
Data Environment / Enforcement Date
Cardholder Data Environment (CDE) and connected system components / October 31, 2015
* Other sensitive (red, or purple) data environments (SDEs) and connected system components / December 31, 2016
All other systems connected to NC State network / October 31, 2017
* See for information on data sensitivity levels

5. Risk Ranking

5.1 NC State currently uses the National Vulnerability Database (NVD) Common Vulnerability Scoring System (CVSS), referenced above, to determine risk ranking for security-related software patches, updates, and fixes.

5.2 CVSS assigns the following qualitative severity rankings to vulnerabilities associated with security-related patches:

5.2.1 Low (CVSS 0.0-3.9)

5.2.2 Medium (CVSS 4.0-6.9)

5.2.3 High (CVSS 7.0-10.0)

5.3 Security patches self-designated as the highest level of criticality by a vendor must be treated as a High risk regardless of the CVSS score if the patch applies to NC State system components.

6. Security Patching Schedule

Schedule for Applying Security Patches
Cardholder Data Environment (CDE) or Connected Systems per PCI- DSS / Other Sensitive Data Environment or Connected Systems / Non-sensitive Data Environments
Available High/Medium security patches must be applied to system components / Prior to initial installation into the production environment / Prior to initial installation into the production environment / Prior to initial installation into the production environment
High security patches must be applied / Within 30 calendar days of the vendor’s release date / Within 30 calendar days of the vendor’s release date / Within 30 calendar days of the vendor’s release date
Medium security patches must be applied / Within 30 calendar days of the vendor’s release date / Within 60 calendar days of the vendor’s release date / Within 180 calendar days of the vendor’s release date
Low security patches must be applied / Within 90 calendar days of the vendor’s release date / Within 365 calendar days of the vendor’s release date / Within 365 calendar days of the vendor’s release date
Non-Security Patching Schedule: Non-security patches should be applied based on identified risk to NC State University (e.g. loss of availability or degraded performance of system components).

7. Automatic Patching

Automatic security patching is strongly recommended. However, a risk assessment should be performed to address potential negative impact to performance and availability of services the system supports.

8. Rollback Process

When applying patches to critical and sensitive information system components, system administrators should create rollback procedures as appropriate.

9. Software Unable to be Secured

Software that is unable to be secured because it is outdated or unsupported must be replaced or removed from the NC State network unless an approved exception has been obtained. See Section 11 below for an explanation of the exception process.

10. Compliance Assessment and Validation

OIT Security and Compliance is responsible for validating compliance to this standard. Compliance will be validated on an ongoing basis using a number of methods, including but not limited to interviews and automated security vulnerability scanning tools.

11. Exceptions to Security Patching Standard

OIT Security and Compliance will assess the risk, assist in identifying alternate compensating controls, and communicate recommendations to the requesting party as well as applicable Data Stewards, (see Exception requests should clearly document the justification for the exception and compensating controls that will be implemented to mitigate the risk associated with the delay in applying patches. Contact Security and Compliance to submit requests for exceptions to the NCSU Software Patching Standard. The Vice Chancellor for IT & CIO or their delegate will make the final decision for an exception.