Patch Management Policy and Procedure
Overview
Liaison's Patch Management Policy and Procedure provides the processes and guidelines necessary to:
- Maintain the integrity of network systems and data by applying the latest operating system and application security updates/patches in a timely manner
- Establish a baseline methodology and timeframe for patching and confirming patch management compliance
Desktops, laptops, servers, applications, and network devices represent access points to sensitive and confidential company data, as well as access to technology resources and services. Ensuring updates and patches are distributed and implemented in a timely manner is essential to maintain system stability and mitigate malware, exploitation, and security threats.
The processes addressed in this policy affect all company managed systems, including desktops, laptops, servers, network devices, and applications that connect to the company network.
Responsibility
Responsibility |
Role |
---|---|
Review and approve changes to the Patch Management Policy and Procedures |
IT Director and the CFO |
Scan for patches (Vulnerability Management Program) |
IT Security team |
Obtain patches for systems |
IT |
Notify teams (QA, DEV, pre-prod and production) of patching schedules (depending on environment) |
IT |
Apply patches |
IT |
Test services after patching |
QA/Dev Engineer |
Notify and report testing results |
QA/Dev Engineer |
Remediate issues, as necessary |
QA/Dev Engineer / IT Systems engineer / IT Security team |
Process
1. End-users computers
- Scan for available patches
- Download necessary patches from a trusted source (as made available)
- Schedule deployment
- Deploy patches
2. Corporate and IT servers and network devices
- Scan for available patches
- Download necessary patches from a trusted source (as made available)
- Deploy patches
- Verify services
- Notify and report testing results
3. QA, Integration, Development
- Scan for available patches
- Download necessary patches from a trusted source (as made available)
- Deploy patches
- Verify services
- Notify and report testing results
4. Preproduction, Demo and staging
- Scan for available patches
- Download necessary patches from a trusted source (as made available)
- Deploy patches
- Verify services
- Notify and report testing results
5. Production
- Patches are approved, deployed, and applied in staging
- Create a change management request one week before the maintenance date
- The Customer Support team posts a maintenance window on customers’ portal
- Deploy patches
- Communicate extended outages to appropriate teams. If outage goes past window, Customer Support must communicate it to customers
- Verify services
6. Zero-day and emergency security patching:
Note: The Security team will determine the risk and the relevance of the patch, as well as when the system should be patched.
- Create a change management request before the maintenance date
- Notify users
- Deploy patches
- Verify services
- Notify and report testing results
Exceptions
- Systems or applications that cannot be patched to resolve a known vulnerability will have the justification documented by the device/application owner and the necessary compensating control(s) implemented:
- Justification:
- No vendor patch available
- Patch provided by vendor creates instability within the system; instability outweighs the risk.
- Compensating Controls
- Network segmentation
- Access Control Lists
- Intrusion Prevention System
- Justification:
- Systems that transmit or store protected data and cannot be patched to resolve a known vulnerability will be brought to the attention of the data owner (typically the IT Security manager, IT Director, and the department Director) and the necessary compensating control(s) will be implemented.
Patch-Compliance Review Procedure
- The IT Security team will generate and review patch management/compliance reports on at least a monthly basis from the company vulnerability management tools.
- In reviewing the patch reports, The IT Security team will identify unpatched machines that connect to the company network and either patch or define an exception.
- IT security will conduct an external vulnerability scan on at least a monthly basis using Nessus to identify known and potential vulnerabilities with the publicly facing system. Vulnerabilities will be brought to the attention of the system/application administrator(s) for mitigation.