Patching Exception Policy
Version 1.0
For Students, Faculty, Staff, Guests, Alumni
Purpose
This policy ensures the security and integrity of the University’s IT Resources by following a formal, risk-based process for managing exceptions to scheduled patching that would disrupt critical University activities.
Scope
This IT Security policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the "User(s)" or "you") who use, access, or otherwise employ, locally or remotely, the University's IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Unless a formally approved exception exists, all IT Resources must be patched per the University-defined schedules per the Patch Management Procedure.
- Exceptions must only be requested when patching would disrupt critical University activities. System Owners are responsible for identifying such instances and initiating an exception request as outlined in the Patch Management Exception Procedure.
- All requests for exceptions must be submitted through the University’s IT ticketing system (e.g., ServiceNow) and must include a clear business justification, a defined timeframe, and proposed compensating controls. System Owners must ensure the accuracy and completeness of submitted information.
- Information Security and Assurance (ISA) must review and approve all exception requests and proposed compensating controls to assess their risk appropriateness and, if necessary, recommend alternate mitigation options per the Patch Management Exception Procedure.
- Exceptions considered high-risk by the ISA, or those exceeding 30 calendar days, must be reviewed and approved jointly by the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO).
- System Owners must implement all compensating controls identified by ISA during the approved exception period, with IT assistance as necessary. They must ensure compliance with any follow-up requirements specified in the Patch Management Exception Procedure.
- Expired exceptions must be resolved by one of the following actions:
- Applying the deferred patch,
- Submitting a renewal request for review, or
- Decommissioning the affected IT Resource.
- Compensating controls that are not properly and consistently deployed may result in the revocation of the exemption.
- Expired exceptions must be resolved by one of the following actions:
- ISA must maintain records of all approved exceptions, validate them, and ensure they are available in the University ticketing system for internal audit or external regulatory review upon request.
- If the compensating controls cannot be applied as agreed, alternatives must be sought immediately in consultation with ISA.
Definitions
IT Resources include computing, networking, communications, applications, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
A patch is a software update comprised of code inserted (i.e., patched) into the code of an executable program. Typically, a patch is installed into an existing software program. Patches are often temporary fixes between full releases of a software package. Patches include, but are not limited to, the following:
- Updating software
- Fixing a software bug
- Installing new drivers
- Addressing new security vulnerabilities
- Addressing software stability issues
Patch management cycle is a part of lifecycle management and is the process of using a strategy and plan of what patches should be applied to which systems at a specified time.
System Owner is the individual or group responsible for the procurement, development, integration, modification, operation, maintenance, and retirement of the server, operating system, or other elements that support an Application Owner providing services. The System Owner provides the technical infrastructure for system state and data retention backups. If a third party provides these services, the System Owner is responsible for maintaining the relationship with the third party providing the service.
Related Policies and Procedures
- Change Management Policy
- Patch Management Policy
- Patch Management Exception Procedure
- Vulnerability Management Policy
- Vulnerability Management Procedure
Implementation Information
| Review Frequency: | Triennial |
|---|---|
| Responsible Person: | Senior Director of IT Security and Assurance |
| Approved By: | CIO |
| Approval Date: | March 1, 2026 |
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | 03/01/2026 | Initial document |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity, with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.