Submitted By

Sridevi Bankupalli,, Associate Director of Enterprise Development, University Information Services

Project Team

University Information Services
Sridevi Bankupalli,, Associate Director of Enterprise Development
Mayank Mittal,, Senior PeopleSoft Administrator
Joseph Ciecior,, Associate Director, Student IT Services
Jackie Hess,, Assistant Director of HR IT Services
Guy Chavez,, Assistant Director of Grants IT Services
Sasi Sunkari,, Manager, Quality Assurance
Brad Baker,, Assistant Director of Student System Dev
Srikanth Gurram,, Assistant Director of HCM Development
Carlos Alberto Mennechey,, Assistant Director of Finance System Development

Project Description

Oracle releases a Critical Patch Update (CPU) four times a year. These patches play a key role in keeping University of Colorado PeopleSoft systems secure. While putting together the final schedule for CPU patching, business continuity, environment refreshes, maintenance windows and other UIS project activities were considered. UIS PeopleSoft administration team used Puppet and Ansible for automating CPU patching in various environments. The table below compares the time taken for the patching before and after this project.

Timeline for patching Production patching Non-Production patching
Pre FY2022 11-13 Days 14-21 Days
FY2022 4-7 Days 7-10 Days

Project Efficiency 

The CPU Patching project showcases University Information Systems’ operational excellence. This project is a huge efficiency gain involving more than 30 UIS resources, short time and huge amount of work. We had to balance our time, testing, communications, and the availability of our systems while remaining dedicated to applying each CPU. In my recent trip to Alliance, a Higher Education User Group (HEUG) conference I saw a presentation where University of Berkeley was showing their 12 days turnaround time on CPU patching compared to UIS turnaround time of 4 days. This makes us a leader in higher education space for CPU patching.

Project Inspiration 

Given the increase in attacks on Higher Ed over the past few years, our CIO, Scott Munson, directed us to re-evaluate UIS current approach to assess our ability to patch all our PeopleSoft environments faster in October 2021. Boulder’s data breach that made the news occurred within 7 days of a patch being released. So, we were trying to keep our target under 7 days and were successful in getting it down to 4 days. By keeping this time low we were able to protect our systems while keeping the cost low with a sustainable approach.

Future Plans

Future propositions to make the CPU patching even more efficient and reliable.

  1. Ability to do hot patching by using tools like Coherence to provide no downtime in the customer-facing environments.
  2. Build more robust automated testing for all applications and leverage automation testing awesomeness.
  3. Creating awareness around in the campus community around criticality of patching activity so that we can schedule maintenance windows. 
  4. While building the future maintenance windows consider CPU release dates into account.

What Makes You Happiest about this Project?

The CPU patching project provided all of us great satisfaction by enabling us to protect our Enterprise Resource Planning systems. After Log4j vulnerability surfaced in December 2021, the importance of protecting our systems has become even more evident. This project is one more stride in right direction towards in securing our systems in a timely manner.