BİM.PR.25 — Patch Management Procedure
| Document No | BİM.PR.25 | Version | 1.0 | First Published | 26.04.2026 |
|---|---|---|---|---|---|
| Owner Group | Systems & Server Management + Network & Security Group | ||||
| Approver | Mehmet ARARAT — IT Director | ||||
| Legal Basis | KVKK Art.12 · ISO/IEC 27001:2022 A.8.8 · BİGDES | ||||
| Related Documents | KYS.POL.01 P15 (Change), P16 (Vulnerabilities), KYS.POL.02, BİM.PR.04 (Maintenance), BİM.PR.09, BİM.PR.10 |
1. Purpose and Scope
Within the framework of KYS.POL.01 P15 (Change Management) and P16 (Vulnerability Detection), defines the classification and implementation framework for timely remediation of identified security vulnerabilities in systems.
Covers operating systems, server software, network devices (firewall/switch/router), user computers (laptop/desktop), application platforms, and certificates.
2. Classification
| Class | CVSS / Severity | Target Timeline |
|---|---|---|
| Critical / Emergency | CVSS ≥ 9.0 or active exploitation | Within 7 days |
| High | CVSS 7.0–8.9 | 30 days |
| Medium | CVSS 4.0–6.9 | 60 days |
| Low | CVSS < 4.0 | Standard maintenance window |
3. Process
- Sources: USOM/UDB bulletins, vendor security advisories, NIST NVD CVE feed, BIM internal penetration tests (BİM.PR.03)
- Impact assessment: affected system list → pending patch list
- Testing: DEV/staging environment first
- Approval: immediate for critical, others via weekly change board (BİM.PR.09)
- Implementation: during standard maintenance windows
- Verification: post-patch service test + scan
4. Maintenance Windows
Out-of-hours window: weekdays 22:00–06:00, Saturday 14:00–18:00, Sunday 08:00–14:00. Patches are applied within these windows whenever possible. Planned maintenance is announced in advance on the System Status page.
5. Emergency Patch (Zero-day)
- Service interruption may occur even without user notification
- Notification posted on System Status page after the fact
- Emergency patches are not applied without a rollback plan (snapshot)
6. Exceptions
Systems where patching is not feasible (legacy application dependency): risk assessment is documented (BİM.PR.06), compensating controls applied (network isolation, additional monitoring). Annual review.
7. User Devices
- OS updates pushed automatically via MDM/WSUS
- Restart forced within the “out-of-business-hours window”
- Critical patches applied within 7 days
8. KVKK
Personal data flows are not interrupted during patching; considered a technical measure under KVKK Art.12.
9. Effective Date
26.04.2026; revised January/July.
Hasan Kalyoncu University · IT Directorate
Osmanlı Mah. Havaalanı Yolu Üzeri 8. Km 27010 Şahinbey/Gaziantep
444 6 458 · destek@hku.edu.tr · destek.hku.edu.tr · portal.hku.edu.tr
KEP: hasankalyoncu.unv@hs01.kep.tr