Patch Management Policy

Updated annually.

Purpose

Patch management is a part of the system maintenance process and is the process of planning what patches should be applied to which systems at a specified time. Vulnerability management is the practice of identifying, classifying, remediating, and mitigating vulnerabilities as part of the systems and software maintenance process.

Scope

All computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services must be part of Patch Management process.

Authority

The individual or group in charge for the Company’s security function is responsible for the development, enforcement and oversight of these policies and standards. The Information Technology (IT) department and others for implementation and, monitoring these policies, processes and standards.

Policy

Patch Management

1.1 Servers, services, or applications must be maintained with current OS, application, or security patch levels, as recommended by the software manufacturer and informed by risk, to protect from known information security issues.

1.2 Patch management must occur regularly, depending on the system, but no greater than every 90 days.

1.3 Managers responsible for the assessment of Information Resources under their supervision.

1.4 Managers are responsible to submit patches or configuration changes according to Change Management Process and have auditable trail for compliance.

1.5 All patches or configuration changes must be deployed to Information Resources when a vulnerability is determined by the IT Risk Assessment Policy. Patches include, but are not limited to the following:

  • Updating software
  • Fixing a software bug
  • Installing new drivers
  • Addressing new security vulnerabilities
  • Addressing software stability issues

Vulnerability Management

2.1 All vulnerability patches or configuration changes must be deployed to Information Resources per the timeframe stated in the IT Risk Assessment Policy Process

2.2 Managers are responsible for the remediation of Information Resources under their supervision.

2.3 If a solution or remediation is not available to address a vulnerability, the compensating or other mitigating controls must be approved by management.

2.4 Managers must have a written and auditable procedure addressing remediation steps.

Process

  • All server instances are regularly updated, using the official linux flavor package manager with the official package repository (eg. Amazon linux 2 repository).
  • Update staging environment with latest packages. After regression testing, during our regular production updates (bi-weekly to monthly) we update all tested packages.
  • In case of “important” to “critical” security update, we apply the security packages as soon as possible subject to Change Management

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.