(Drafted March 2026. Pending Governing Board Approval)
Vulnerability & Patch Management Standard
1. Purpose
This standard defines how Colearn Academy will address known security vulnerabilities and keep systems reasonably up to date with security patches.
2. Scope
This standard applies to school‑managed devices, operating systems, and key applications and services under Colearn Academy’s administrative control.
Operating context: Colearn Academy has no physical building and no school-owned hardware. “School‑managed” refers to cloud applications and services under the School’s control and, where applicable, to configuration or update expectations for software on family- or user-owned devices used for school purposes.
3. Patching and Updates
3.1
Where possible, automatic updates will be enabled on supported platforms for operating systems and commonly used applications.
3.2
For systems where automatic updates are not available or appropriate, updates should be applied on a regular schedule and as soon as practical for critical security fixes.
4. Vulnerability Information
4.1
The Information Security Lead or designee will stay reasonably informed about significant security advisories that may affect major platforms or services used by the School.
4.2
When critical or high‑impact vulnerabilities are identified that are relevant to the School, the School will assess risk and prioritize remediation efforts accordingly.
5. Exceptions
5.1
If a patch or change cannot be applied in a timely manner due to operational constraints, the School will consider temporary risk‑reducing measures (for example, limiting access, changing configuration, or monitoring more closely) where feasible.
6. Review
This standard will be reviewed at least annually and updated as needed to reflect changes in technology or risk.