Another tip in a series provided by the Offices of Information Security, Information Systems & Computing and Audit, Compliance & Privacy

At the beginning of FY26, the University’s IT Policy Committee (ITPC) will deploy a new policy concerning patching IT assets. The new policy requires that schools and centers construct a plan for patching that includes a schedule for patching; the plan will then be shared with the Office of Information Security (OIS). A template for such a plan will be available within the IT policy management system in the security best practice document. This policy was developed by ITPC and has undergone 30-day review by the University’s IT community at large. It has also been vetted with the Privacy and Security Executive Committee (PSEC) and the University CIO.

In this policy, patches fall into two categories: Security Patches, which are of normal urgency, and High-Risk Security Patches, which address more urgent risks to the devices in question. When specific security vulnerabilities are designated by OIS as critical, or where the vendor’s description indicates a High-Risk Security Patch where the vulnerability can be exploited from outside Penn’s network, schools and centers must communicate with stakeholders and reprioritize work in order to implement the patch within three days.

If you have questions about the patching policy, please contact Anita Gelburd at gelburda@upenn.edu.

---

For additional tips, see the One Step Ahead link on the Information Security website: https://isc.upenn.edu/security/news-alerts%23One-Step-Ahead.