Table of Contents. Policy Patch Management Version Control

Similar documents
BERGRIVIER MUNICIPALITY

Development Authority of the North Country Governance Policies

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Information Security Office. Server Vulnerability Management Standards

The CISO is the owner of the vulnerability management process. This person designs the process and ensures is implemented as designed.

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Mobility Policy Bundle

01.0 Policy Responsibilities and Oversight

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Data Security and Privacy Principles IBM Cloud Services

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

CIO IT Infrastructure Policy Bundle

Information Technology Procedure IT 3.4 IT Configuration Management

DETAILED POLICY STATEMENT

Juniper Vendor Security Requirements

Client Computing Security Standard (CCSS)

locuz.com SOC Services

FDIC InTREx What Documentation Are You Expected to Have?

A company built on security

WHO AM I? Been working in IT Security since 1992

The Common Controls Framework BY ADOBE

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

WHITE PAPER- Managed Services Security Practices

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

Cybersecurity Auditing in an Unsecure World

Bring Your Own Device Policy

Vulnerability Management Policy

Information Security Office. Information Security Server Vulnerability Management Standards

Information Technology General Control Review

Threat and Vulnerability Assessment Tool

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Table Of Contents INTRODUCTION... 6 USER GUIDE Software Installation Installing MSI-based Applications for Users...9

INFORMATION ASSURANCE DIRECTORATE

Carbon Black PCI Compliance Mapping Checklist

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Manchester Metropolitan University Information Security Strategy

Trust Services Principles and Criteria

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

AUTHORITY FOR ELECTRICITY REGULATION

PCI Compliance Assessment Module with Inspector

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

FOLLOW-UP REVIEW OF RISK MANAGEMENT ETC RISK MANAGEMENT FRAMEWORK

Seven Requirements for Successfully Implementing Information Security Policies and Standards

CompTIA CAS-002. CompTIA Advanced Security Practitioner (CASP) Download Full Version :

REPORT 2015/149 INTERNAL AUDIT DIVISION

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Three Year Follow up Request to Grand Jury Updated March 2, 2018

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Server Security Checklist

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Standard Development Timeline

Lakeshore Technical College Official Policy

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Comprehensive Mitigation

1 Data Center Requirements

A Mobile Security Checklist: The Top Ten Threats to Your Enterprise Today. White Paper

ISO27001 Preparing your business with Snare

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

SYSTEMS ASSET MANAGEMENT POLICY

IT CONTINUITY, BACKUP AND RECOVERY POLICY

Watson Developer Cloud Security Overview

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Standard for Security of Information Technology Resources

Standard CIP 007 3a Cyber Security Systems Security Management

RIPE RIPE-17. Table of Contents. The Langner Group. Washington Hamburg Munich

IBM Internet Security Systems Proventia Management SiteProtector

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Virginia Commonwealth University School of Medicine Information Security Standard

Standard CIP Cyber Security Systems Security Management

Vendor Security Questionnaire

Education Network Security

ANZSCO Descriptions The following list contains example descriptions of ICT units and employment duties for each nominated occupation ANZSCO code. And

DISASTER RECOVERY PRIMER

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

PSEG Nuclear Cyber Security Supply Chain Guidance

SFC strengthens internet trading regulatory controls

Managed Security Services - Endpoint Managed Security on Cloud

IBM Case Manager on Cloud

Web Hosting: Mason Home Page Server (Jiju) Service Level Agreement 2012

Policies and Procedures Date: February 28, 2012

Server Hardening Title Author Contributors Date Reviewed By Document Version

Incident Response and Cybersecurity: A View from the Boardroom

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Third Party Security Review Process

October 2016 Issue 07/16

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Notification of Issuance of Binding Operational Directive and Establishment of. AGENCY: National Protection and Programs Directorate, DHS.

MNsure Privacy Program Strategic Plan FY

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Information Technology Branch Organization of Cyber Security Technical Standard

Security Policies and Procedures Principles and Practices

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Oracle Data Cloud ( ODC ) Inbound Security Policies

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Transcription:

Table of Contents Patch Management Version Control Policy... 2 The Patch Management Version Control Process... 2 Policy... 2 Vendor Updates... 3 Concepts... 3 Responsibility... 3 Organizational Roles... 4 Monitoring... 5 Review and evaluation... 5 Risk assessment and testing... 6 Notification and scheduling... 6 Implementation... 7 Emergency patches... 7 Critical Patches... 7 Auditing, assessment, and verification... 7 User responsibilities and practices... 7 Best Practices... 8 Security Patch Management Best Practices... 10 Appendix... 13 Change and Patch Management Control Log... 13 Job Descriptions... 17 Change Control (under separate cover)... 17 Change Control Supervisor (under separate cover)... 17 Change Control Analyst (under separate cover)... 17 What s New... 18 1 2017 Copyright Janco Associates, Inc. www.e-janco.com

Patch Management Version Control Policy The Patch Management Version Control Process Patch management is an on-going circular process. The reality of software and network vulnerabilities is that, after you apply a patch, a new vulnerability will be addressed sooner rather than later. Add to that various versions of an application and the management complexity increases. A robust patch management and version control life cycle includes each of the following: Detection - Tools to scan systems for missing security patches. The detection should be automated and trigger the patch management process. Assessment - If necessary updates are not installed, determine the severity of the issue(s) addressed by the patch and the mitigating factors that may influence your next steps. By balancing the severity of the issue and mitigating factors, determine if the vulnerabilities are a threat to your current environment. Acquisition - If the vulnerability is not addressed by the security measures already in place, download the patch for testing. Testing - Install the patch on a test system to verify the ramifications of the update against your production configuration. Deployment - Deploy the patch to production computers. Make sure your applications are not adversely affected. Employ your rollback or backup restore plan if needed. Maintenance - Subscribe to notifications that alert you to vulnerabilities as they are reported. Begin the patch management process again. Obsolesce Over time versions of an application will be removed from the support cycle as the older versions may not have the features and functions that are necessary for operation within the enterprise. Policy It is the Chief Information Officer s (CIO s) responsibility to provide a secure computing environment for the company s automated applications, staff, associates, business partners, and contractors. As part of this, it is Enterprise s objective to ensure all computer devices (including servers, desktops, printers, PDAs, SmartPhones, and BYOD) utilizing Enterprise s computing environment (data, process, and network) have proper virus protection software, current virus definition libraries, and the most recent operating system and security patches installed. In addition it is the responsibility of the CIO to provide an inventory of the various versions and patch levels that are supported and a timeline as to when obsolete versions of applications and devices will no longer be supported. 2 2017 Copyright Janco Associates, Inc. www.e-janco.com

Organizational Roles Patch management is part of change control and revision management, as such there are roles and responsibilities that various members of the organization must fill. They all are integrated into the Change and Patch Management Committee (CPMC). Role Responsibility Department Job Title Change Patch Coordinator Change Patch Administrator System Support User System Support Application Support Quality Assurance User Quality Assurance System Management Change Patch Audit Business Approval Coordinates change and patch management and evaluation meetings. Facilitates establishment of the CPMC. Acts as a liaison between and the business. Notifies business and of status and schedule in addition to updating the Change Management Log Acquires and deploys the patches. Groups changes and patching blocks by function and environment. Maintains the Change Management Log and communicates status and updates with and business functions Brings systems and network back online after change and patch deployment. Responsible for activation of remote device updates including BYODs and Internet based applications Verifies changes and patches are functioning as expected and conducts regression tests to assure that all other functions are operational as they should be. Brings outstanding issues to the committee. Verifies changes and patches were deployed. Brings outstanding issues to the committee. Runs compliance reports and verifies patches were deployed. Brings outstanding issues to the committee Verifies changes and patches are meeting all compliance requirements both internal and external. Brings outstanding issues to the committee. Verifies that all systems and networks are operational after the deployment of changes and patches are completed. Is responsible for rolling back the system if the change or patch is not functioning as expected Runs compliance reports and verifies patches were deployed. Brings outstanding issues to the committee Provides authorization to deploy patches during specified maintenance window User User Independent 3 rd Party User 2016 Janco Associates, Inc. --- www.e-janco.com ALL RIGHTS RESERVED Information Architecture Change Control and Patch Management Production Support User Support Services Quality Assurance User Supervisors Computer Operations Internal Audit User 4 2017 Copyright Janco Associates, Inc. www.e-janco.com

Implementation Emergency patches PM will deploy Emergency patches within a reasonable time (i.e. work day) of availability. As Emergency patches pose an imminent threat to the network, the release may proceed testing. In all instances, the department will perform testing (either pre- or post-implementation) and document it for auditing and tracking purposes. Critical Patches Patch Management Implementation Timeline Critical Patches Patch Available Day 0 Submit to Testing Day 1 Change Control Approval Day 3 Release Patch Day 5 Patch Management Implementation Time Line PM will obtain authorization for implementing Critical patches via an emergency Change Control process and Enterprises management approval. The department will implement Not Critical patches during regularly scheduled preventive maintenance. Each patch will have an approved Change Control Request. For new network devices, each platform will follow established procedures to ensure the installation of the most recent patches. Auditing, assessment, and verification Following the release of all patches, PM staff will verify the successful installation of the patch and that there have been no adverse effects. User responsibilities and practices It is the responsibility of each user both individually and within the organization to ensure prudent and responsible use of computing and network resources. 7 2017 Copyright Janco Associates, Inc. www.e-janco.com

15 2017 Copyright Janco Associates, Inc. www.e-janco.com

What s New Version 2.2 Added ten (10) best practices for security compliance and patch management Added 3 job descriptions o Change Control o Change Control Supervisor o Change Control Analyst Updated to meet the latest compliance requirements Updated Patch Management Electronic Form Version 2.1 Update to meet ISO compliance standards Updated electronic form Version 2.0 Updated version control process within the policy Version 1.1 Added Organizational Responsibility Matrix including BYOD Added Electronic Form Change and Patch Management Log (Excel.xlsx format) Version 1.0 Policy Released 18 2017 Copyright Janco Associates, Inc. www.e-janco.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback