Patch Management Exception Procedure
Version 1.0
For Students, Faculty, Staff, Guests, Alumni
Purpose
This procedure outlines the steps required to request, evaluate, approve, and implement patching exceptions for Fordham IT Resources when patching would disrupt critical University activities.
Scope
This IT Security document, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the "User(s)" or "you") who use, access, or otherwise employ, locally or remotely, the University's IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Exception Identification
- The System Owner determines that applying a patch per the Patch Management Procedure cadence would disrupt critical University activities.
- Submission of Exception Request
- The System Owner submits a patching exception request using the [designated workflow] in ServiceNow
- Required information includes:
-
- System or asset name
- IP Address
- MAC Address
- Physical Location of asset
- Description of the impact on business activities
- Justification
- Requested deferral period [7, 14, 30, 60, 90 days or permanent]
- Contact information for System Owner
- Contact information for the responsible personnel, if delegated by the System Owner
- Risk Review by Information Security and Assurance
- Upon submission, Information Security and Assurance:
-
- Reviews the request for completeness
- Assesses the security risk associated with the unpatched system
- Classifies the risk exception level
- Recommends appropriate compensating controls (e.g., network segmentation, access restrictions, additional monitoring) and assists in the identification and vetting of the personnel responsible for the remediation efforts
- Approval Routing
- Low or moderate risk exceptions:
-
- Reviewed and approved by Information Security and Assurance
- High-risk exceptions:
-
- Must be approved by the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO)
- Change Advisory Board (CAB) may be consulted if there is an institutional impact across departments or systems
- Implementation of Compensating Controls
- The System Owner or IT designee continually implements all required compensating controls within the agreed-upon timeframes as noted in the Information Security and Assurance review
- Information Security and Assurance regularly verifies implementation through vulnerability scanning, configuration review, or other technical validation
- Closure and Documentation
- After the patch(es) is/are applied or the system is retired:
-
- The System Owner must update the ServiceNow ticket to reflect the closure
-
- Information Security and Assurance will verify and close the exception record
Definitions
CVE (Common Vulnerabilities and Exposures):
A publicly disclosed identifier assigned to known cybersecurity vulnerabilities. CVEs are published by the MITRE Corporation and referenced in vendor security bulletins, patch advisories, and vulnerability scanning tools.
IT Resources include computing, networking, communications, applications, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
A patch is a software update comprised of code inserted (i.e., patched) into the code of an executable program. Typically, a patch is installed into an existing software program. Patches are often temporary fixes between full releases of a software package. Patches include, but are not limited to the following:
- Updating software
- Fixing a software bug
- Installing new drivers
- Addressing new security vulnerabilities
- Addressing software stability issues
Patch management cycle is a part of lifecycle management and is the process of using a strategy and plan of what patches should be applied to which systems at a specified time.
System Owner is the individual or group responsible for the procurement, development, integration, modification, operation, maintenance, and retirement of the server, operating system, or other elements that support an Application Owner providing services. The System Owner provides the technical infrastructure for system state and data retention backups. If a third party provides these services, the System Owner is responsible for maintaining the relationship with the third party providing the service.
Related Policies and Procedures
- Change Management Policy
- Patching Exception Policy
- Patch Management Policy
- Vulnerability Management Policy
- Vulnerability Management Procedure
Implementation Information
| Review Frequency: | Triennial |
|---|---|
| Responsible Person: | Senior Director of IT Security and Assurance |
| Approved By: | CIO |
| Approval Date: | March 1, 2026 |
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | 03/01/2026 | Initial document |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.