Software update recommendations

Overview of guidance for software updates

One of the most important ways to protect the information, reputation, and privacy of Mount Holyoke College and its users is by prompt installation of patches on computers and mobile devices.

Most cyber attacks against systems target known vulnerabilities that have been fixed in newer versions. This puts users who are behind on security updates (and the organizations and communities they are a part of) at the most risk.

Your laptop, your personal cell phone used to access Mount Holyoke College systems, and the servers that MHC maintains — in other words, ALL devices that access MHC systems and data — must all be patched against the latest security vulnerabilities as part of a collective web of protection.

This guidance applies to all MHC employees and contractors accessing MHC systems, network and data from MHC-owned and personal devices. 

Definitions

Patching: A patch is a software update designed to fix security vulnerabilities in existing computer systems or applications. Patching is the process of downloading and installing the patches.

Supported Operating System/Supported Application: Supported software is software that is currently being patched by the vendor.   

Guidance

While everyone plays a role in keeping MHC secure against vulnerabilities, you will have different responsibilities depending on your organizational function. 

All employees (faculty, staff, contingent workers/affiliates, volunteers)

• Computers and devices should be no more than 30 days behind with patches, and devices should only run supported operating systems and applications.
• Enable auto-update on all your devices, including personal devices, such as cell phones, personal computers, and tablets that connect to MHC's network or systems.
  • This action includes getting the latest versions of the current operating systems that you're running (e.g.: Windows, macOS, iOS, Android, etc.) as well as upgrading to new major releases before the one you're running is no longer supported by the vendor.
  • If you have questions on how to enable these features, please ask the LITS Technology Help Desk. On your MHC-owned computer, we have generally configured auto-updates for you.
• Pay attention to auto-update notifications.
  • Once prompted, install the update within 48 hours or before the advertised deadline. If you are unable to do so, please ask for assistance from the LITS Technology Help Desk. 
• Report issues with patches to the LITS Technology Helpdesk. Patch issues are rare, but when they do occur LITS wants to track them.
• When selecting software or cloud services, favor vendors that have robust and effective policies and procedures around patching and security.

LITS Asset Management Staff

• Ensure that systems are configured with automatic updates and/or downloads as applicable.
• Provide mechanisms for automatic patching and/or Self Service actions to assist with guided patching and upgrades.
• Subscribe to all mailing list/notification systems of existing vendors to ensure notifications of patches.
• In the case of critical systems or software, if applicable, test updates/patches before they are deployed.
• On a no less frequent than quarterly basis, scan and monitor all MHC-owned computers to verify that all appropriate released patches have been installed.
• Work with employees to upgrade hardware and software on a timely basis to maintain supported operating systems and applications.
• Assist employees with obtaining exemptions to the patching and supported OS/applications guidance as necessary.
• Distribute a monthly patch reminder for users of computers that can't be remotely patched.
• Provide an "Early Adopters" program for early access to new patches and upgrades.