Patch Management Exemption

While the operating system is the backbone of a computer, patches and updates are required to keep the operating system current and secure. As software matures and technology evolves, new vulnerabilities in operating systems and applications can appear, providing avenues of attack for intruders. Patches and updates close those vulnerabilities and lock down the software.

The University's patch management system monitors the operating system manufacturers and downloads new updates as they become available. After careful testing, the patches and updates are deployed across the University at regular intervals. Currently, patches and updates are distributed on the weekend after the second Tuesday of each month. Once patched, the computer is rebooted to enable the new updates.

In some situations, the rebooting of the computer can lead to disruption of services or in running processes, resulting in lost data, time, and effort. Exemptions to the patch management schedule can be granted for demonstrated cases of interruption. This is an exemption to the schedule only; the systems must still be patched. Arrangements can be made to patch on a different schedule or for the systems to be manually patched, but they must be patched. Unpatched systems represent a threat to themselves and to the University at large, and will be removed from network access if left unpatched too long.

Exemptions are granted on validated business cases, with explanations why the existing patching schedule is inappropriate for the designated system.

The overall exemption process is as follows:

1. Requester gathers and provides documentation justifying the exemption (see list below)
2. Requester submits request for exemption using the online exemption request form.
3. The Chief Information Security Officer (CISO) makes the decision
4. The CISO communicates the decision
   • Denial - notify the requester with an explanation for denial
   • Approval - notify requester, assign expiration date

Supporting documentation for the exemption request includes, but isn't limited to:

• Individual identifier for the device
• Owning department, along with responsible personnel (dean/director/chair, requester, etc.)
• How the device is currently being used
• The reason(s) patches cannot be managed by Information Security
• The list of personnel who will be manually applying patches
• The schedule by which the patches will be manually applied

Exemption requests are considered on a one-device-per-form basis. In very limited situations, a large number of systems may need to be considered for exemption. In this case, download and complete the Patch Management Exemption List spreadsheet and email the file to grc@uthscsa.edu. The spreadsheet will collect the information requested in items 1 and 2.

Note: If you are not able to access the online form, download the form to your computer by right-clicking on this link: Exemption Request Form

• Internet Explorer - "Save Target As ..."
• Firefox - "Save Link As ..."
• Chrome - "Save link as ..."

1. Download the form to your computer (requires Microsoft Excel 2007 or later)

2. Read tab "1-Instructions Page"

3. Fill out tab "2-General Form"

4. Fill out tab "Patch Mgmt"

5. Begin collecting the necessary signatures

For more information regarding the exemption process, please contact Information Security at grc@uthscsa.edu, or the Information Security Hotline at 210-567-0707.