Patch Management Policy and Procedure [PDF]

Zitiervorschau

Patch Management Policy and Procedure

About this Document Liaison's Patch Management Policy and Procedure provides the processes and guidelines necessary to: 1. Maintain the integrity of network systems and data by applying the latest operating system and application security updates/patches in a timely manner 2. Establish a baseline methodology and timeframe for patching and confirming patch management compliance Desktops, laptops, servers, applications, and network devices represent access points to sensitive and confidential company data, as well as access to technology resources and services. Ensuring updates and patches are distributed and implemented in a timely manner is essential to maintain system stability and mitigate malware, exploitation, and security threats. The processes addressed in this policy affect all company managed systems, including desktops, laptops, servers, network devices, and applications that connect to the company network.

Responsibility Responsibility

Role

Review and approve changes to the Patch Management Policy and Procedures

IT Director and the CFO

Scan for patches (Vulnerability Management Program)

IT Security team

Obtain patches for systems

IT

Notify teams (QA, DEV, pre-prod and production) of patching schedules (depending on environment)

IT

Apply patches

IT

© Liaison International. All Rights Reserved.

1

Test services after patching

QA/Dev Engineer

Notify and report testing results

QA/Dev Engineer

Remediate issues, as necessary

QA/Dev Engineer / IT Systems engineer / IT Security team

Process 1. End-users computers 1. Scan for available patches 2. Download necessary patches from a trusted source (as made available) 3. Schedule deployment 4. Deploy patches

2. Corporate and IT servers and network devices 1. Scan for available patches 2. Download necessary patches from a trusted source (as made available) 3. Deploy patches 4. Verify services 5. Notify and report testing results

3. QA, Integration, Development 1. Scan for available patches 2. Download necessary patches from a trusted source (as made available) 3. Deploy patches 4. Verify services 5. Notify and report testing results

4. Preproduction, Demo and staging 1. Scan for available patches

© Liaison International. All Rights Reserved.

2

2. Download necessary patches from a trusted source (as made available) 3. Deploy patches 4. Verify services 5. Notify and report testing results

5. Production 1. Patches are approved, deployed, and applied in staging 2. Create a change management request one week before the maintenance date 3. The Customer Support team posts a maintenance window on customers’ portal 4. Deploy patches 5. Communicate extended outages to appropriate teams. If outage goes past window, Customer Support must communicate it to customers 6. Verify services

6. Zero-day and emergency security patching: Note: The Security team will determine the risk and the relevance of the patch, as well as when the system should be patched. 1. Create a change management request before the maintenance date 2. Notify users 3. Deploy patches 4. Verify services 5. Notify and report testing results

Exceptions 1. Systems or applications that cannot be patched to resolve a known vulnerability will have the justification documented by the device/application owner and the necessary compensating control(s) implemented: ◦ Justification: ▪ No vendor patch available ▪ Patch provided by vendor creates instability within the system; instability outweighs the risk. ◦ Compensating Controls ▪ Network segmentation ▪ Access Control Lists ▪ Intrusion Prevention System 2. Systems that transmit or store protected data and cannot be patched to resolve a known vulnerability will be brought to the attention of the data owner (typically the IT Security manager, IT Director, and the department Director) and the necessary compensating control(s) will be implemented.

© Liaison International. All Rights Reserved.

3

Patch-Compliance Review Procedure 1. The IT Security team will generate and review patch management/compliance reports on at least a monthly basis from the company vulnerability management tools. 2. In reviewing the patch reports, The IT Security team will identify unpatched machines that connect to the company network and either patch or define an exception. 3. IT security will conduct an external vulnerability scan on at least a monthly basis using Nessus to identify known and potential vulnerabilities with the publicly facing system. Vulnerabilities will be brought to the attention of the system/application administrator(s) for mitigation.

Security Patching Workflow

© Liaison International. All Rights Reserved.

4