Business Practice for Patch Management

Printable Version in PDF Format (Get Adobe Acrobat)

Table of Contents

History [top]

  • Business Practice Number: BP.02.006
  • Version: 1
  • Drafted By: Neal Fisch
  • Approved By: Michael Berman
  • Approval Date: 08/25/2017
  • Latest Revision Date:

Purpose [top]

To assure the confidentiality, integrity, and availability of CSU Channel Islands information assets by regularly assessing the University’s patch management practices and administration for efficacy and timeliness.

Background [top]

The University is required by CSU system-wide policy to protect its information assets. One industry best practice in information security is the regular assessment and implementation of software and hardware patching of all computing devices computing within the computing environment.

Business Practice [top]

Accountability [top]

Vice President for Technology and Innovation

Information Security Officer

Applicability [top]

All University-owned hardware connected to the University network

Definition(s) [top]

Patch:  A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities, other bugs, and improving the usability or performance, with such patches usually called bugfixes or bug fixes.

Patch Management: Patch management is a strategy for managing patches or upgrades for software applications and technologies. A patch management plan can help a business or organization handle these changes efficiently.

Text [top]


In order to ensure the confidentiality, integrity, and availability of the University’s information assets, Information Technology Services (ITS) will implement the following regular patch management practices. 

Regular patch management practices

ITS will regularly test and apply available software and hardware patches across the University environment for University-owned computing devices, using an industry accepted standard for patch management. Patch management and administration will follow CI’s existing standard change control practices (see BP.00.002).

The University currently utilizes Microsoft’s System Center Configuration Manager (SCCM) as its patch management system.

Exhibit(s) [top]

Assessment History [top]

DescriptionFrequencyRole Assigned
Assessment of business practiceAnnualISO