Current patches

SA9: Operating system and application patches must be current and supported by the vendor or Open Source project, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

How to Comply

Schedule patches appropriately

Evaluate, schedule, and apply any missing security updates within 30 days. Apply patches immediately and without delay for critical vulnerabilities enabling remote, unauthenticated administrative access.