/policies/,/policies/administrative/,/policies/administrative/uwmf/,/policies/administrative/uwmf/uwmf-wide/,/policies/administrative/uwmf/uwmf-wide/information-services/,

/policies/administrative/uwmf/uwmf-wide/information-services/in-pol-011.policy

20160374

page

100

UWHC,UWMF,

Policies,Administrative,UWMF,UWMF-wide,Information Services

System Maintenance and Management (IN-POL-011)

System Maintenance and Management (IN-POL-011) - Policies, Administrative, UWMF, UWMF-wide, Information Services

IN-POL-011


Administrative Departmental Policy
This department-specific policy applies to the operations and staff of the Information Services
Department of the University of Wisconsin Hospitals and Clinics Authority as integrated effective July 1,
2015.

Policy Title: System Maintenance and Management
Policy Number: IN-POL-011
Effective Date: 2/26/16
Chapter: NA
Version: Revision
I. PURPOSE
This policy describes the protocol for implementation of vendor-provided software patches by
UW Health IS to resolve vulnerabilities and/or fix errors in common software applications used
by the organization.

II. DEFINITIONS (optional)
Patch: An update to software applications that resolves known vulnerabilities, repairs, and/or
updates the software.

III. POLICY ELEMENTS
A. Overview

Patches for UW Health computer and server systems are evaluated for their applicability and
importance to the proper functioning of the systems, and then installed as necessary. This is
accomplished via deployment tools or manual installation. Updates include, but are not limited to,
patches for:
• Operating systems
• Hardware drivers
• Software applications
• Software that protects against viruses, malware, and spyware

Updates classified as Critical or High by software manufacturers, other trusted sources (SANS,
Security Focus, MITRE), or UW Health Information Services are evaluated for deployment as
soon as possible. In some cases, a patch may not be available immediately, so personnel
responsible for deploying the patch monitor the availability of the patch and incorporate it into
software update processes once it is available

UW Health IS teams subscribe to appropriate mailing lists that provide updates on vulnerabilities
for typical/popular software. The list(s) are forwarded to the appropriate team leads for review.

For software that is not included on the widely distributed mailing lists, individual teams develop
their own methods for monitoring and identifying new vulnerabilities in the systems\applications
that fall within their responsibilities. In such cases, teams may subscribe directly to email lists of
companies that develop specific software, or they may periodically review web sites\newsgroups
that deal specifically with a particular application.


Consideration must be made for systems that primarily use software from a single vendor. These
systems may require prior approval from the software vendor before updates can be applied.

It is best practice to roll out updates on a test group before doing a system-wide implementation,
to ensure there are no adverse effects on system functionality. After testing is complete, a full
rollout is performed.

B. Windows Server Update Services

Windows Server Update Services enables Information Services administrators to deploy the latest
Microsoft product updates to computers and servers that are running the Windows operating
system (OS).

Updates for Windows systems are deployed monthly or as needed.

Windows server OS and Virtual Desktop OS updates are the responsibility of the IS Server Team.
Windows desktop OS updates are the responsibility of the End User Technical Support (EUTS)
Team. IS Application Analysts also perform OS updates.

C. Linux Desktop and Server Operating Systems

Linux desktop and server OS updates are jointly handled by the following IS teams:
• Database Administration Team
• Network Team
• Server Team

The assigned maintenance team for these systems evaluates whether a manual or automatic
update process best addresses the requirements of the system without affecting its ability to
function normally.

If a manual process is chosen, the assigned team must document the following:

1. All updates classified as Critical/High that were not applied
2. The reason for not applying them

D. Server Virtualization Software (VMWare and Hyper-V)

Virtualization software (VMWare and Microsoft Hyper-V) is used to partition a single hardware
server into multiple virtual servers to increase processing power and functionality.

VMWare is the primary virtualization software used by UW Health. Hyper-V has some limited
use.

Server virtualization software is updated periodically to address bug fixes and add new features as
needed. There is no set schedule for updates. They are made to keep the software current and
functioning properly. Vendor requirements often dictate what updates are applicable.

UW Health IS maintains current software within these guidelines.


E. Antivirus Updates

Refer to the System Wide Malware and Anti-Virus Policy and Procedure for information on
updating software that protects against viruses, malware, and spyware.

Antivirus updates for the Windows server OS and Virtual Desktop OS are the responsibility of
the IS Server Team. Antivirus updates for the Windows desktop OS are the responsibility of the
End User Technical Support (EUTS) Team.

F. Hardware/Drivers (Including Network Infrastructure Hardware)

Hardware and drivers updates are jointly handled by the following IS teams:
• EUTS Team
• Network Team
• Server Team

Hardware/driver updates happen infrequently. Since they can impact the ability of users to
perform their jobs, careful consideration must be made when applying these updates.

Security flaws and performance enhancements are significant reasons to apply these types of
updates on the applicable systems promptly. For this reason, UW Health IS maintains an accurate
list of systems and associated hardware, to avoid an extensive discovery phase.

G. Health Link (Epic)

Refer to the Health Link (Epic) RA/SU Management Policy (HL-010) for information on
updating Health Link (Epic) systems.

H. Software Applications

There are numerous applications within UW Health that require monitoring for available updates.
UW Health Information Services tracks, monitors, and provides updates for these as required.

I. Email

Updates to email applications are the responsibility of the Server team.

J. Database Systems (Oracle and SQL)

Updates to the Oracle and SQL database infrastructures are the responsibility of the Database
Administration team.

K. Other Systems

1. A number of other systems exist that are important to daily operations. Updates for these
systems are evaluated under the same criteria as the systems described above.


2. Applications in use at UW Health that have a limited use/audience are not monitored for
updates by UW Health IS. When the vendors for these applications notify users of updates,
the user notifies IS so that the patch/update can be installed as appropriate. In some cases this
may require creating an image of the system so the prior system can be restored if a problem
is found with the update.


IV. PROCEDURE
The following procedure supports this policy:

System Maintenance and Management Procedure (IN-PRO-009)

V. FORMS (optional)
NA

VI. REFERENCES (optional)
Related Policy:

Systemwide Malware and Antivirus (IN-POL-005)

VII. COORDINATION

Sr. Management Sponsor: UW Health CIO
Author: UW Health IS Director - Infrastructure
Reviewer(s): UW Health IS Directors

Approval Committee: UW Health IS Directors

SIGNED BY:
UW Health CIO

Revision Detail:

Effective Date Next Review Summary of Changes Change Authors
2/26/16 TBD/2017 Annual review/revision. S. Schroeder, E. Bakkum
1/8/2015 1/8/2016 Original release. UW Health IS Director - Infrastructure