Suggested Standard for Patch, Cert and Vendor updates Policy

Standard Security Update Recommendations

Statement

All security patch fixes and Cert recommendation, and other such materials provided by vendors or official computer emergency response teams (CERTs) must be promptly implemented for testing, and production.

Within 30 days of receipt of a software advisory from a vendor, CERT, or other trusted third parties, the responsible system administrator must ensure the appropriate patches, or mitigating controls, are implemented to mitigate the risk according to the criticality, risk, and business impact of the vulnerability, as determined by the appropriate enterprise standards group.

Purpose

Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed via vendor security patches, and all systems should have current software patches to protect against exploitation by employees, external attackers, and viruses. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques. Using enterprise standard software and patch management processes further protect the environment.

Examples

An operating system vendor announces a vulnerability that affects all end-user workstations and releases a patch that closes the vulnerability. There is a virus exploiting the vulnerability propagating on the Internet. Enterprise Desktop Support tests and deploys the patch via the standard deployment process within one week.

The vendor for a small, stand-alone application addresses a security vulnerability by releasing a new version of the software. The application is in use by one unit on fewer than ten shop floor control systems. None of the ten systems are connected to a network, nor do they ever leave the facility.

Since the vulnerability is network-based, there is no method for an attacker to exploit it. The unit determines that the network status mitigates the risk, and deploys the new version in their next scheduled maintenance cycle.

References:

• Corporate Security Policies
• Corporate Security Standards
• PCI Data Security Standards
• ISO 17799/27001
• FERC CIP