1 Purpose and Scope
1.1 Purpose
This policy defines the University’s approach to identify, evaluate, and address vulnerabilities within the organisation's IT infrastructure. This policy aims to protect the organisation's assets from security threats by ensuring timely and effective patch management.
1.2 Scope
1.2.1 This policy applies to all IT assets, including hardware and software, within the organisation. It covers all departments and personnel responsible for managing and maintaining these assets.
1.2.2 This policy also covers University systems and applications hosted or managed by third parties. If third parties are responsible for vulnerability and patch management, they must adhere to this policy or equivalent requirements as stated in the contract.
1.2.3 All members of staff should be aware of the University’s responsibility under this policy and of the measures set out above to comply with it
2 Definitions
2.1 Vulnerability - refers to a weakness or flaw in a system, network, application, software or device that can be exploited by attackers (e.g. to gain unauthorised access, disrupt operations, or steal sensitive data).
2.2 Patch - software update designed to fix vulnerabilities, security flaws, or introduce product enhancements.
2.3 System Criticality - classified based on Business Impact Analysis (BIA) assessments as part of the Business Continuity Plans (BCP).
2.4 Common Vulnerability Scoring System (CVSS) v3.1 - an open framework for communicating the characteristics and severity of software vulnerabilities. University of Bath requires all vulnerabilities with CVSS severity medium or above (4.0 or higher) to be remediated.
3 Roles and Responsibilities
3.1 Chief Digital Officer (CDO) is responsible for approving the Vulnerability and Patch Management Policy.
3.2 Chief Information Security Officer (CISO) is responsible for ensuring this policy is implemented across the University to ensure University IT assets are protected.
3.3 Business Service Owner of the system is accountable for evaluating and authorising the implications of any decision not to address the vulnerability.
3.4 Technical Service Owner of the system is responsible for ensuring fixes & patches are applied to systems, ensuring compliance with this policy and associated Security Patching Standard.
3.5 Operational roles & responsibilities must be captured in separate vulnerability and patch management processes
4 Policy
4.1 Vulnerability management
4.1.1 Vulnerability scans must be executed periodically over systems, applications and endpoints to identify:
- vulnerabilities
- security misconfigurations
- exposed secrets
- patches have been applied successfully
4.1.2 Vulnerabilities must be managed in accordance with the vulnerability management process including exception processing for Research
4.1.3 A process for remediating identified vulnerabilities must be established.
4.1.4 Business Service Owner must be notified if vulnerabilities are not mitigated within the timelines outlined in the Security Patching Standard
4.1.5 Request for exceptions may include remediation delays, exemption from patching (i.e. un-patchable assets) or not to scan a device. Exception requests must be recorded and must contain:
- Identifier(s) of the asset(s),
- Business & Technical Service Owner(s)
- The reason for the exception or patching exemption,
- Risk to the business of not patching,
- All relevant technical & operational considerations,
- Date of review
4.1.6 Verification via a re-scan must be performed to confirm the vulnerability has been remediated.
4.2 Patch management
4.2.1 Patches will be managed in accordance with the patch management process
5 Related Documents
5.1 The following policies, standard and procedures are related to this policy:
- Information Security Policy
- IT Acceptable Use Policy
- IT Equipment Policy
- Security Patching Standard