Patching practices inquiry

[Clifford Collins <collinsc () FRANKLIN EDU>]

I would like to know what other academic institutions practice when it comes to patching workstations, servers, and 
network gear.

Do you test patches? If so, then how ?

How long do you wait before pushing them? Or do you just patch on a set cycle?

What constitutes an emergency patch that you apply out of cycle?

Do you use any specific criteria for evaluating the severity of the vulnerability in decision making?

Do you have any suggestions on where to find "best practices" on the subject?


You can send your responses to me directly and, if there is much interest, I will summarize the results on the list.

Thank you in advance for responding!

Clifford A. Collins
Information Security Officer
Franklin University
201 South Grant Avenue
Columbus, Ohio 43215
"Security is a process, not a product"