Skip to:

Office of General Counsel Policies & Guidelines

Enterprise Information Systems Updates : G-050

Policy/Guideline Area

General Guidelines

Applicable Divisions

TCATs, Community Colleges, Universities, System Office, Board Members

Purpose

The purpose of this policy is to establish minimum standards of expectations related to maintaining appropriate software versions and upgrades within the institutional infrastructure.

Policy/Guideline

  1. Policy
    1. Enterprise information systems and components used at Tennessee Board of Regents’ institutions should maintain appropriate and timely updates/patches/maintenance to ensure that systems, data, and personal identifiable information (PII) are adequately protected.
    2. Maintaining proper oversight and implementation of this policy will help to:
      1. Reduce system vulnerability,
      2. Provide consistent system-wide support,
      3. Ensure compatibility with other systems, and
      4. Enhance application functionality.
    3. It is important that institutional executive and oversight leadership support the necessary functions and processes required in order to ensure that systems and data are protected and secure.
  2. Scope
    1. This policy applies to all enterprise information systems, software, and components.
      1. This would include, but not be limited to web systems, end-user applications, infrastructure and end-user information systems, and all other software and hardware not specifically noted.
    2. Enterprise Information Systems Update Priorities
      1. The following are the priorities and timeframes within which updates must be applied:
        1. Develop institutional approval and sign-off procedures based on the update requirements.
        2. Schedule to not be subject to change except in the most extreme circumstances.
        3. Be communicated to students, faculty and staff in a timely manner.
        4. Critical updates/fixes should be applied as soon as is possible in accordance with institutional approval and sign-off procedures.
    3. Enterprise Information Systems Covered By This Policy
      1. ERP Quarterly Updates should be installed in their entirety and in a timely manner. The institution should not be more than one version behind the current ERP vendor-certified release.
      2. Oracle CPU Updates should be installed in a timely manner and the institution should not be more than one version behind the ERP vendor-certified release.
      3. Luminis updates should be installed in a timely manner and the institution should not be outside the TBR certified support schedule.
      4. External application and system hosting will conform to institutional requirements with written exceptions being made as necessary based on the abilities and contractual obligations between the institution and the hosting vendor.
      5. Operating System (OS) updates for servers, workstations, and other end user equipment should be installed in a timely manner in accordance to institutional needs and requirements in order to minimize and avoid unduly exposing the institution to risks.
      6. End-user applications regular and critical updates should be installed in a timely manner in accordance to institutional needs and requirements in order to minimize and avoid unduly exposing the institution to risks.
      7. Network infrastructure and systems regular and critical updates should be installed in a timely manner in accordance with institutional needs and requirements in order to minimize and avoid unduly exposing the institution to risks.
      8. All other enterprise information systems and components regular and critical updates should be installed in a timely manner in accordance to institutional needs and requirements, and to minimize and avoid unduly exposing the institution to risks.
  3. Exceptions
    1. Exceptions to items 1. and 2. under Enterprise Information Systems Covered by this policy must be approved by the President/CEO at the institution and filed with the Chancellor and System CIO.
    2. Other exceptions to this policy may be approved by the CIO or most senior information technology (IT) official at the institution.
    3. Each exception must be documented in detail and retained for future review.

Sources

New Guideline approved at Presidents Meeting, August 19, 2014, effective September 26, 2014. President's Meeting, August 16, 2016. Revised at Presidents Meeting February 21, 2017.

Related Policies

Contact

Mickey Sheen
615-366-4437
mickey.sheen@tbr.edu