Division:
Administration & Finance
Department:
Information Technology Services
Contact Information:
Nish Malik / Senior Associate Vice President (AVP) and Chief Information Officer (CIO) / (415) 405-4105 / nish@sfsu.edu
Effective Date:
Thursday, July 1, 2010
Revised Date:
Thursday, October 21, 2021
Authority:
Configuration Management (ISO Domain 12: Operations Security Policy
Objective:
This policy defines requirements for patch management on all SF State owned information technology systems, network resources and applications.
Statement:
All SF State-owned information technology systems, network resources (e.g., switches, routers and firewalls) and applications will have a management-appointed person or persons (formally identified) responsible for maintenance of operating systems, security software and applications.
Unless a security patch or update introduces security or performance issues, all components will be kept current, including the operating system, Web server, application server, DBMS, applications and all code libraries.
All departments and units will follow documented patch management standards and procedures in conformance with change control policies.
References
Configuration change and patch management implementation guidelines
Change Control (ISO Domain 12: Operations Security Policy)