Welcome to CC

IT Risk, Patch & Vulnerability Management Policy

Explore This Section

Purpose The purpose of this policy is to establish enforceable standards for identifying, assessing, mitigating, and monitoring information technology risks at Colorado College. It ensures that IT systems and data are protected through regular risk assessments, timely application of patches, and proactive management of vulnerabilities. Scope This policy applies to all ITS-managed systems, applications, and network devices, as well as third-party systems that process institutional data. It applies to all faculty, staff, contractors, and vendors responsible for the management, support, or use of college IT systems.

Responsible office
Information Technology Services, None
Responsible party
Vice president for information technology/Chief technology officer
Last revision
February 2026
Approved by
The Cabinet
Approval date
January 2026
Effective date
February 2026
Last review
January 2026
Additional references

Scope

All financial and administrative policies involving community members across campus, including volunteers are within the scope of this policy. If there is a variance between departmental expectations and the common approach described through college policy, the college will look to the campus community, including volunteers to support the spirit and the objectives of college policy. Unless specifically mentioned in a college policy, the college’s Board of Trustees are governed by their Bylaws.

Policy

Colorado College ITS will implement a structured, consistent approach to risk management, patch management, and vulnerability remediation. The following subsections provide detailed requirements.

1. IT Risk Management

IT will conduct risk assessments regularly and before major system changes or acquisitions or integrations. The following requirements apply:

  • All identified risks must be logged in the IT risk register.
  • Risks will be assessed for likelihood and impact (1-10 scale).
  • Critical and high risks must include documented mitigation strategies.
    • Accepted critical and high IT risks without a mitigation strategy must be approved in writing by the CIO.
  • The risk register must be reviewed by ITS regularly.
  • Risk assessments must consider regulatory compliance such as, but not limited to GLBA, FERPA, HIPAA, and PCI DSS, federal law, state/local law and Colorado College policy.

2. Patch Management

Patch Identification
Regularly monitor vendors and industry sources for available security patches and updates.

Patch Prioritization
Classify patches based on criticality—critical, high, medium, or low—focusing on security vulnerabilities.

Patch Testing
Test patches in a controlled environment where possible before deployment to avoid system disruptions.

Deployment

  • Timing
    • Scheduled downtime for patches may occur every Thursday (midnight to 6:00am) and Saturday (midnight to 10:00am). Refer to our Scheduled Downtime - Colorado College We will communicate if planned outages occur outside these windows.
  • Servers and Databases
    • Deploy critical and high-priority patches within 5 days, medium within 15 days, and low as part of routine maintenance
  • Endpoints
    • Deploy critical and high-priority operating system patches within 14 days, medium within 90 days, and low (mostly feature patches) are optional

3. Vulnerability Management

ITS will perform vulnerability scans at least monthly across the entire network and more often for new systems or services. The following requirements apply:

  • Scans must identify missing patches, and security weaknesses.
  • Vulnerabilities must be prioritized using industry scoring systems (e.g., CVSS).
  • Critical vulnerabilities must be remediated according to the Patch Management section.
  • Compensating controls may be used temporarily if remediation is not immediately feasible.
  • Results must be reported to system owners, or the main department if a system owner hasn’t been identified, and tracked until resolved.
  • Penetration tests will be considered on a regular basis.

4. International Travel and Computing Devices

When traveling to high-risk countries (see the top countries on the World Cybercrime Index (published by Oxford University in April 2024) be aware that devices may be compromised in undetectable ways or could be confiscated and not returned. In these regions, there is a heightened risk of espionage, surveillance, and data compromise. The only truly secure option is to refrain from using digital devices (including cell phones) when traveling to these areas.

However, we understand that this may not always be feasible.

If you are going to bring a CC-owned computing device with you to one of these countries, you do so at your own risk.  You are responsible for understanding and complying with export regulations, laws and vendor terms. For example, some prohibit using encryption or other regulated technologies in certain countries, and there are restrictions on the use of services in some countries due to U.S. law or policies, including sanctions.

You must let ITS know about your trip so we are aware of where you are going, what CC-owned device(s) you plan to bring with you, and what institutional data (if any) you will access or bring with you.

  • You may need approval from the relevant data owner depending on what institutional data you plan to access or bring with you

Consider asking ITS for an international travel loaner. These devices are more ‘hardened’ and locked down than typical employee computers and intended specifically for minimizing risk in international travel.

  • Devices will have basic internet access and Microsoft Office software, encrypted hard drives, and overall stricter controls on installing software or storing any data locally.
  • ITS requires 1 week notice before your trip and you must return the device within 48 hours of returning. We will wipe the device clean immediately upon receiving it back.
  • Loaner laptop and iPad checkout for international travel to high-risk countries is limited. We will prioritize loaners based on risk according to the specific details of your reported trip.
  • If the loaner device is lost, stolen, or confiscated while on your trip, contact ITS as soon as possible to let us know.
    • There will be a fee to replace the device
  1. Disaster Recovery (Internal Reference)
    Colorado College maintains an internal Disaster Recovery Plan that defines procedures for restoring IT services following disruptions. While not published publicly, this plan is integral to risk management and must be followed by ITS staff.

6. Incident Response

If vulnerabilities are exploited or patch failures lead to incidents, the ITS Incident Response Plan must be activated. All incidents must be contained, remediated, and reported promptly to leadership. Root cause analysis will be conducted for major events.

 

Procedures

  • Maintain a centralized risk register.
  • Run monthly vulnerability scans on critical systems.
  • Centralized tracking of patch deployment and vulnerabilities.
  • Document all exceptions with compensating controls.
  • Report compliance metrics to ITS leadership regularly.

Review & Update

This policy will be reviewed regularly, or earlier if prompted by new threats, audit findings, new potential systems and/or integrations, or regulatory changes.

Definitions

  • Risk Register: Centralized log of IT risks and mitigation status.
  • Patch: Vendor-provided software update to correct vulnerabilities.
  • Vulnerability: Weakness in software, hardware, or processes exploitable by threats.
  • CVSS: Common Vulnerability Scoring System used to rate vulnerability severity. Managed and curated by external entity.
  • Compensating Control: Alternative safeguard when remediation cannot occur immediately.
Report an issue - Last updated: 02/24/2026