Skip to:

Office of General Counsel Policies & Guidelines

Enterprise Information Systems Updates (formerly G-50) : 1.08.01.00 (formerly G-50)

Policy/Guideline Area

Governance, Organization, and General Policies

Applicable Divisions

TCATs, Community Colleges, System Office, Board Members

Purpose

The purpose of this policy is to establish minimum standards of expectations related to maintaining appropriate software versions and upgrades within the institutional infrastructure.

Definitions

  • Third-party products – Software applications that integrate with, or are ancillary to, the ERP system.
  • ERP quarterly updates – Software updates to the existing ERP system that are developed, tested, approved and released by the SMO each quarter.
  • Oracle patches and updates – Patches, fixes, and updates for the Oracle Database Server and related components that are released by Oracle on a quarterly basis. These updates may be released off schedule if considered critical.
  • Critical updates - Widely released software fixes that address specific, serious bugs, problems or defects in a system or application.  Sometimes referred to as critical hotfixes or critical patches.

Policy/Guideline

  1. Introduction
    1. Enterprise information systems and components used at Tennessee Board of Regents’ institutions shall have an established schedule of updates/patches/maintenance to ensure that systems, data, and personally identifiable information (PII) are adequately protected.
  2. Scope
    1. Enterprise information systems covered by this policy:
      1. ERP quarterly updates released by the Ellucian Satellite Maintenance Organization (SMO) shall be installed in their entirety according to the adopted schedule. The institution shall not be more than one version behind the current ERP vendor-certified release and shall make every effort to maintain the latest version release every quarter.
      2. Oracle patches and updates shall be installed according to the adopted schedule. The institution shall not be more than one version behind the ERP vendor-certified Oracle release.
      3. Critical updates, patches or hotfixes shall be applied in a timely manner in accordance with institutional needs and requirements, and to minimize (and preferably avoid) unduly exposing the institutions to unnecessary risk.
      4. Third-party products supported on the individual campuses must be maintained at a minimum vendor-supported version.
  3. Exceptions
    1. Exceptions to items 1 and 2 under section I. A. above (Enterprise information systems covered by this policy) must be approved by the President/CEO or his/her designee at the institution and filed with the Chancellor and System CIO, if applicable.
    2. Other exceptions to this policy must be approved by the President/CEO or his/her designee and the CIO at the institution.
    3. Each exception must be documented in detail and retained for future review.
    4. External application and system hosting vendors shall conform to TBR and/or institutional requirements with written exceptions being made as necessary based on the abilities and contractual obligations between the institution and the hosting vendor.

Sources

Authority

T.C.A. § 49-8-203

History

New Guideline approved at Presidents Meeting, August 19, 2014, effective September 26, 2014; President's Meeting, August 16, 2016. Revised at Presidents Meeting February 21, 2017. Revision and change from guideline to policy approved by Board at Special Called Meeting May 14, 2019.