9:100-AP1 Secure Configuration & Patch Management
9:100-AP1 Secure Configuration & Patch Management
Purpose
This procedure ensures District technology systems adhere to secure configuration standards and receive timely security updates in order to reduce cybersecurity risk and maintain system integrity.
Scope
This procedure applies to all District-managed:
- End-user devices
- Servers
- Network infrastructure
- Cloud platforms and hosted applications
- Administrative and service accounts
Access authorization and permission review for accounts are addressed in 9:140-AP1. This procedure addresses secure configuration and patching controls applicable to District-managed systems, platforms, devices, infrastructure, applications, and accounts.
Responsibilities
- Technology Director – Oversees the District’s secure configuration and patch management program.
- Technology Department – Implements and maintains secure configurations and patching practices consistent with this procedure.
- System Users – Shall not alter security configurations or disable updates.
Procedure
I. Secure Configuration Baselines
The District shall maintain approved secure configuration baselines for technology systems appropriate to their function and risk level.
Configuration baselines shall reflect recognized security standards where practical and shall be reviewed on a schedule established in internal operating procedures.
II. Configuration Enforcement
Secure configuration standards shall be enforced using centralized management methods where available.
Any deviation from approved baseline configurations shall be documented, justified by operational need or technical limitation, approved by the Superintendent or designee, and reviewed at intervals appropriate to the risk.
III. Patch Management
The District shall maintain a structured process to identify, evaluate, and apply security patches and updates.
Patch prioritization shall consider:
- Severity of vulnerability
- Risk to District operations
- Operational impact
Systems unable to be patched within timeframes established in internal operating procedures shall be subject to compensating controls, documented risk acceptance, or access restrictions appropriate to the risk.
IV. Testing and Change Control
Significant configuration changes and patch deployments shall follow established testing and change management practices to minimize disruption.
Emergency changes may be implemented when required to address active threats or critical vulnerabilities.
V. Compliance Monitoring
The District shall review system configurations and patch status on a schedule established in internal operating procedures to verify compliance with this procedure.
Non-compliant systems may be subject to remediation or access restrictions.
VI. Documentation
The Technology Department shall maintain documentation sufficient to demonstrate implementation of this procedure, including configuration baselines, patch status, reviews, exceptions, approvals, risk acceptances, and remediation actions.
VII. Compliance and Review
Failure to comply with this procedure may result in disciplinary action and/or legal consequences.
This procedure shall be reviewed at least annually and updated as necessary to reflect changes in law, Board policy, technology, cybersecurity risk, or District operations.
Purpose
This procedure ensures District technology systems adhere to secure configuration standards and receive timely security updates in order to reduce cybersecurity risk and maintain system integrity.
Scope
This procedure applies to all District-managed:
- End-user devices
- Servers
- Network infrastructure
- Cloud platforms and hosted applications
- Administrative and service accounts
Access authorization and permission review for accounts are addressed in 9:140-AP1. This procedure addresses secure configuration and patching controls applicable to District-managed systems, platforms, devices, infrastructure, applications, and accounts.
Responsibilities
- Technology Director – Oversees the District’s secure configuration and patch management program.
- Technology Department – Implements and maintains secure configurations and patching practices consistent with this procedure.
- System Users – Shall not alter security configurations or disable updates.
Procedure
I. Secure Configuration Baselines
The District shall maintain approved secure configuration baselines for technology systems appropriate to their function and risk level.
Configuration baselines shall reflect recognized security standards where practical and shall be reviewed on a schedule established in internal operating procedures.
II. Configuration Enforcement
Secure configuration standards shall be enforced using centralized management methods where available.
Any deviation from approved baseline configurations shall be documented, justified by operational need or technical limitation, approved by the Superintendent or designee, and reviewed at intervals appropriate to the risk.
III. Patch Management
The District shall maintain a structured process to identify, evaluate, and apply security patches and updates.
Patch prioritization shall consider:
- Severity of vulnerability
- Risk to District operations
- Operational impact
Systems unable to be patched within timeframes established in internal operating procedures shall be subject to compensating controls, documented risk acceptance, or access restrictions appropriate to the risk.
IV. Testing and Change Control
Significant configuration changes and patch deployments shall follow established testing and change management practices to minimize disruption.
Emergency changes may be implemented when required to address active threats or critical vulnerabilities.
V. Compliance Monitoring
The District shall review system configurations and patch status on a schedule established in internal operating procedures to verify compliance with this procedure.
Non-compliant systems may be subject to remediation or access restrictions.
VI. Documentation
The Technology Department shall maintain documentation sufficient to demonstrate implementation of this procedure, including configuration baselines, patch status, reviews, exceptions, approvals, risk acceptances, and remediation actions.
VII. Compliance and Review
Failure to comply with this procedure may result in disciplinary action and/or legal consequences.
This procedure shall be reviewed at least annually and updated as necessary to reflect changes in law, Board policy, technology, cybersecurity risk, or District operations.