Revised: 27 Nov 2024 by ITSC

A supported operating system must be used for server in which vendor can provide timely security patches on known and published vulnerabilities. ITSC recommends to follow the National Vulnerability Database (NVD) ratings for security risk classification and patch management, applying high severity (score of 7.0-10.0) security patches within 1 week after publish, medium severity (score of 4.0-6.9) and low severity (0.0-3.9) within 4 weeks. On very high severe vulnerability that will cause instantaneous exploitable threat to the system, ITSC would recommend to apply patch or remediation immediately.

As a general practice, a system upgrade shall be scheduled no longer than every 4 weeks to apply all severity levels of patches to a server operation system.

Related Links

• NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance.