Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

Similar documents
01.0 Policy Responsibilities and Oversight

Usage Policy Document Number: OIL-IS-POL-EU

Standard: Vulnerability Management & Standard

Information Security Awareness Guidelines Document Number: OIL-IS-GUD-ISA

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

The Common Controls Framework BY ADOBE

Cyber Security Program

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Audit Logging and Monitoring Procedure Document Number: OIL-IS-PRO-ALM

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

ECCouncil EC-Council Certified CISO (CCISO) Download Full Version :

External Supplier Control Obligations. Cyber Security

Information Security Incident Response and Reporting

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Avanade s Approach to Client Data Protection

SECURITY PLAN CREATION GUIDE

Physical and Environmental Security Policy Document Number: OIL-IS-POL-PES

Threat and Vulnerability Assessment Tool

The CISO is the owner of the vulnerability management process. This person designs the process and ensures is implemented as designed.

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

University of Sunderland Business Assurance PCI Security Policy

Virginia Commonwealth University School of Medicine Information Security Standard

Standard CIP Cyber Security Systems Security Management

Standard for Security of Information Technology Resources

Information Security Office. Server Vulnerability Management Standards

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Summary of FERC Order No. 791

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

Manchester Metropolitan University Information Security Strategy

Employee Security Awareness Training Program

Twilio cloud communications SECURITY

Critical Cyber Asset Identification Security Management Controls

DETAILED POLICY STATEMENT

Information Security Policy

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Session ID: CISO-W22 Session Classification: General Interest

Standard CIP Cyber Security Critical Cyber Asset Identification

HIPAA RISK ADVISOR SAMPLE REPORT

ISO27001 Preparing your business with Snare

NEN The Education Network

Standard CIP Cyber Security Critical Cyber Asset Identification

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Security Standards for Electric Market Participants

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Vulnerability Management Policy

Introduction NOTE IF THE REQUEST IS APPROVED, BEFORE PROCEEDING, THE REQUESTING DEPARTMENT MUST AGREE TO BE

Juniper Vendor Security Requirements

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Information Security for Mail Processing/Mail Handling Equipment

DRAFT. Standard 1300 Cyber Security

Table of Contents. Sample

SECURE NETWORK INFRASTRUCTURE GUIDE

Information Technology Branch Organization of Cyber Security Technical Standard

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Canada Life Cyber Security Statement 2018

Information Security Policy

Information Security Office. Information Security Server Vulnerability Management Standards

INFORMATION SECURITY POLICY

DISTRICT OF COLUMBIA WATER AND SEWER AUTHORITY ATTACHMENT A A-1: BACKGROUND AND CONTRACTOR QUALIFICATIONS A-2: SCOPE OF WORK

Access to University Data Policy

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

Department of Public Health O F S A N F R A N C I S C O

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Information Technology Procedure IT 3.4 IT Configuration Management

Department of Management Services REQUEST FOR INFORMATION

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

AUTHORITY FOR ELECTRICITY REGULATION

Standard CIP 007 3a Cyber Security Systems Security Management

Healthcare Security Success Story

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

NYDFS Cybersecurity Regulations

State of Rhode Island Department of Administration Division of Information Technol

MNsure Privacy Program Strategic Plan FY

Exhibit A1-1. Risk Management Framework

Standard CIP Cyber Security Systems Security Management

CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]

The next generation of knowledge and expertise

Security and Privacy Breach Notification

Business Continuity Management Standards A Side-by-Side Comparison

Building a Resilient Security Posture for Effective Breach Prevention

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Continuous protection to reduce risk and maintain production availability

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

Appendix 3 Disaster Recovery Plan

Physical Security Reliability Standard Implementation

CYBER SECURITY POLICY REVISION: 12

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Ensuring System Protection throughout the Operational Lifecycle

NW NATURAL CYBER SECURITY 2016.JUNE.16

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

PCI DSS 3.2 AWARENESS NOVEMBER 2017

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

PHYSICAL & ENVIRONMENTAL PROTECTION GUIDE

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Transcription:

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

Document Details Title Description Version 1.1 Author Classification Technical Vulnerability and Patch Management Policy To ensure a consistent approach is applied to the management of technical vulnerabilities and all available patches Information Security Manager Internal Review Date 27/03/2018 Reviewer & Custodian Approved By CISO Release Date 03/04/2017 Owner Information Security Council (ISC) CISO Distribution List Name Internal Distribution Only Version History Version Number Version Date 1.0 04/03/2015 1.1 03/04/2017 Internal Page 2 of 6

Table of Content 1. Purpose... 4 2. Policy... 4 2.1. Application... 4 2.2. Vulnerability Risk Assessment and Management... 4 2.3. Patch Management... 5 3. Non Compliance... 6 Internal Page 3 of 6

1. Purpose This Policy supports the high level policy statements defined in Information Security Policy. The policy stipulates that the technical vulnerabilities in IT department s information systems are identified and addressed in a timely manner. The policy also ensures that a consistent approach is applied to the management of technical vulnerabilities and that all available patches of the software used by the Company s IT department are assessed, approved, implemented and reviewed in a control manner. This would also ensure that all software patches applied on the information systems are in accordance with the approved business and technical requirements. 2. Policy 2.1. Application This policy document applies to all employees, including full-time staff, part-time staff, contractors, freelancers, and other agents of IT Department and who have access to Oil India information system and or Network. 2.2. Vulnerability Risk Assessment and Management The Chief Information Security Officer (CISO) will ensure that periodic risk assessments are conducted as per the Information Security Manual. The implementation of procedures for asset management and tracking will be the responsibility of the Chief Information Security Officer (CISO); The IT Head will designate IT personnel for identifying technical vulnerabilities on Company information systems. Additionally, designated personnel from IT will proactively stay in touch with vendors/ specialist groups to keep abreast with latest resources; On identification of a potential technical vulnerability the following actions will be taken: The vulnerability identified will be communicated to all the relevant personnel in the IT department; Any risks associated with it will be identified; and Internal Page 4 of 6

Appropriate measures will be taken, after internal approval to patch these vulnerabilities to mitigate any risks associated with it. The IT Head will ensure that the vulnerability assessment is performed and the weaknesses identified are resolved as per the defined periodicity. Vulnerability assessment will be performed semi-annually preferably by internal team. If any patches are available to mitigate identified vulnerabilities, the patches will be tested, logged and evaluated in a separate test environment before they are installed on Company s computer systems. If no patches are available to address the vulnerabilities, then one or more of the following actions will be taken: Stopping the services related to vulnerabilities; Creating or modifying access control rules on Firewall, Proxy Server and other such servers; and Create awareness among the users and personnel, involved in maintenance of the computer system, about technical vulnerabilities. 2.3. Patch Management The Company s IT Department will document and implement a Patch Management Process including enhancements and resolution procedures. This will be applicable for patches available for software installed on the department s information processing facilities. Procedures will be defined and responsibility designated to identify new security issues related to information processing facilities and any new patches released by the vendor. All new patches will be prioritized based on factors such as nature of the patch, vendor criticality, risk to the un-patched system in current environment and any other applicable parameter. A formal process for prioritization of patches and implementation schedule will be defined. Patches that require the information processing facility to be taken off-line will not be applied during business hours. In case of emergency patches, the IT Head and the Internal Page 5 of 6

information asset owner will approve implementation during the working hours after adequate communication to all the stakeholders and the IT users getting impacted. Patches will be tested in a test environment prior to application in production systems. Results of the tests conducted will be submitted to the asset owner/it Head who will approve or decline the changes required. Periodic reviews will be done to assess if the Company s IT department information systems are patched with the latest appropriate patches. Such reviews will also take inputs from technical vulnerability assessments conducted previously (Refer: Section 2.2). The IT Head will be responsible for implementing the procedures required to conduct the above-stated reviews and addressing any gaps identified. 3. Non Compliance Failure to comply with the Technical Vulnerability and Patch Management Policy may, at the full discretion of the Oil India, result in disciplinary action as per Information Security Policy. Internal Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback