Table of Contents Patch Management Version Control Policy... 2 The Patch Management Version Control Process... 2 Policy... 2 Vendor Updates... 3 Concepts... 3 Responsibility... 3 Organizational Roles... 4 Monitoring... 5 Review and evaluation... 5 Risk assessment and testing... 6 Notification and scheduling... 6 Implementation... 7 Emergency patches... 7 Critical Patches... 7 Auditing, assessment, and verification... 7 User responsibilities and practices... 7 Best Practices... 8 Security Patch Management Best Practices... 10 Appendix... 13 Change and Patch Management Control Log... 13 Job Descriptions... 17 Change Control (under separate cover)... 17 Change Control Supervisor (under separate cover)... 17 Change Control Analyst (under separate cover)... 17 What s New... 18 1 2017 Copyright Janco Associates, Inc. www.e-janco.com
Patch Management Version Control Policy The Patch Management Version Control Process Patch management is an on-going circular process. The reality of software and network vulnerabilities is that, after you apply a patch, a new vulnerability will be addressed sooner rather than later. Add to that various versions of an application and the management complexity increases. A robust patch management and version control life cycle includes each of the following: Detection - Tools to scan systems for missing security patches. The detection should be automated and trigger the patch management process. Assessment - If necessary updates are not installed, determine the severity of the issue(s) addressed by the patch and the mitigating factors that may influence your next steps. By balancing the severity of the issue and mitigating factors, determine if the vulnerabilities are a threat to your current environment. Acquisition - If the vulnerability is not addressed by the security measures already in place, download the patch for testing. Testing - Install the patch on a test system to verify the ramifications of the update against your production configuration. Deployment - Deploy the patch to production computers. Make sure your applications are not adversely affected. Employ your rollback or backup restore plan if needed. Maintenance - Subscribe to notifications that alert you to vulnerabilities as they are reported. Begin the patch management process again. Obsolesce Over time versions of an application will be removed from the support cycle as the older versions may not have the features and functions that are necessary for operation within the enterprise. Policy It is the Chief Information Officer s (CIO s) responsibility to provide a secure computing environment for the company s automated applications, staff, associates, business partners, and contractors. As part of this, it is Enterprise s objective to ensure all computer devices (including servers, desktops, printers, PDAs, SmartPhones, and BYOD) utilizing Enterprise s computing environment (data, process, and network) have proper virus protection software, current virus definition libraries, and the most recent operating system and security patches installed. In addition it is the responsibility of the CIO to provide an inventory of the various versions and patch levels that are supported and a timeline as to when obsolete versions of applications and devices will no longer be supported. 2 2017 Copyright Janco Associates, Inc. www.e-janco.com
Organizational Roles Patch management is part of change control and revision management, as such there are roles and responsibilities that various members of the organization must fill. They all are integrated into the Change and Patch Management Committee (CPMC). Role Responsibility Department Job Title Change Patch Coordinator Change Patch Administrator System Support User System Support Application Support Quality Assurance User Quality Assurance System Management Change Patch Audit Business Approval Coordinates change and patch management and evaluation meetings. Facilitates establishment of the CPMC. Acts as a liaison between and the business. Notifies business and of status and schedule in addition to updating the Change Management Log Acquires and deploys the patches. Groups changes and patching blocks by function and environment. Maintains the Change Management Log and communicates status and updates with and business functions Brings systems and network back online after change and patch deployment. Responsible for activation of remote device updates including BYODs and Internet based applications Verifies changes and patches are functioning as expected and conducts regression tests to assure that all other functions are operational as they should be. Brings outstanding issues to the committee. Verifies changes and patches were deployed. Brings outstanding issues to the committee. Runs compliance reports and verifies patches were deployed. Brings outstanding issues to the committee Verifies changes and patches are meeting all compliance requirements both internal and external. Brings outstanding issues to the committee. Verifies that all systems and networks are operational after the deployment of changes and patches are completed. Is responsible for rolling back the system if the change or patch is not functioning as expected Runs compliance reports and verifies patches were deployed. Brings outstanding issues to the committee Provides authorization to deploy patches during specified maintenance window User User Independent 3 rd Party User 2016 Janco Associates, Inc. --- www.e-janco.com ALL RIGHTS RESERVED Information Architecture Change Control and Patch Management Production Support User Support Services Quality Assurance User Supervisors Computer Operations Internal Audit User 4 2017 Copyright Janco Associates, Inc. www.e-janco.com
Implementation Emergency patches PM will deploy Emergency patches within a reasonable time (i.e. work day) of availability. As Emergency patches pose an imminent threat to the network, the release may proceed testing. In all instances, the department will perform testing (either pre- or post-implementation) and document it for auditing and tracking purposes. Critical Patches Patch Management Implementation Timeline Critical Patches Patch Available Day 0 Submit to Testing Day 1 Change Control Approval Day 3 Release Patch Day 5 Patch Management Implementation Time Line PM will obtain authorization for implementing Critical patches via an emergency Change Control process and Enterprises management approval. The department will implement Not Critical patches during regularly scheduled preventive maintenance. Each patch will have an approved Change Control Request. For new network devices, each platform will follow established procedures to ensure the installation of the most recent patches. Auditing, assessment, and verification Following the release of all patches, PM staff will verify the successful installation of the patch and that there have been no adverse effects. User responsibilities and practices It is the responsibility of each user both individually and within the organization to ensure prudent and responsible use of computing and network resources. 7 2017 Copyright Janco Associates, Inc. www.e-janco.com
15 2017 Copyright Janco Associates, Inc. www.e-janco.com
What s New Version 2.2 Added ten (10) best practices for security compliance and patch management Added 3 job descriptions o Change Control o Change Control Supervisor o Change Control Analyst Updated to meet the latest compliance requirements Updated Patch Management Electronic Form Version 2.1 Update to meet ISO compliance standards Updated electronic form Version 2.0 Updated version control process within the policy Version 1.1 Added Organizational Responsibility Matrix including BYOD Added Electronic Form Change and Patch Management Log (Excel.xlsx format) Version 1.0 Policy Released 18 2017 Copyright Janco Associates, Inc. www.e-janco.com