IS7030 - Patch Management

Purpose

Servers, desktops/laptops, network and security devices and applications shall be frequently patched to protect against widespread worms and malicious code that target known vulnerabilities on non-patched systems, resulting in downtime & business impact to DMACC.

The objective of this procedure is to ensure that IT systems and applications deployed in DMACC are updated with the latest security updates and patches.

Scope

This procedure applies to:

• All staff (permanent and on contractual basis) and non-employees (contractors, consultants, suppliers, vendors etc.) of DMACC and other individuals, entities or organizations that have access and administrative privileges to DMACC’s information systems to perform their daily job-related responsibilities or meet contractual obligations
• All the information processing systems namely servers, desktops, laptops, applications, databases, network, and security devices
• Relevant third-party personnel responsible for administering and maintaining DMACC’s IT infrastructure

Procedure Statements

Identification and Validation of Patches

The DMACC IT Security Team (IST) is responsible for identification and validation of all patch related issues.

The DMACC IST is responsible for approving all security related patches.

To ensure that all patches are tracked, the DMACC IST shall:

• Identify the frequent patch, update frequency of the relevant systems by the vendors or monitor the vulnerability fixes being published by independent security groups.
• Subscribe to the trusted advisories, vendor’s security patch mailing list or have agreements with vendors for receiving new security patches
• Maintain an updated list of OS, application and database related patches released
• The DMACC IST shall validate whether the released patch is applicable to the environment.
• If the patch is affecting a service and is not implemented, Information Solutions Security team shall track and keep a record of the discarded patches for future audit purposes.

Patch Classification

Patches shall be categorized into different criticality levels based on the threat to the systems. The DMACC IST shall analyse the applicability of the patch to the environment and determine its criticality.

The following guidelines/checks may be used to classify the criticality of the patch, but not limited to:

• Criticality of the patch as assigned by the vendor
• Probability of the vulnerability being exploited remotely
• Publicly knows worms or Trojans that can exploit the vulnerability
• Assessment of the criticality of the patch to DMACC’s environment
• The DMACC IST shall determine the criticality and verify whether the patch should be applied or not.

Patch Scheduling & Prioritization

Patches shall be tested and applied on priority basis based on their identified criticality.

Plans shall be developed for standard patch releases and updates. Separate plan shall be developed for critical security and functionality related patches and updates.

Criticality of Patches are as follows:

• Critical: A vulnerability whose exploitation could severely impact the IT systems that provide services to critical business functions of DMACC.
• High: A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of DMACC’ s information.
• Medium: A vulnerability whose exploitation would affect DMACC IT systems but on a controllable level.
• Low: A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

Patches shall be tested and applied in the following time frames:

• Critical: As soon as possible after release (installed immediately after testing)
• High: Within 1 week of release (installed during scheduled change control window)
• Medium: Within 15 days of release (installed during scheduled change control window)
• Low: Within 30 days of release (installed during scheduled change control window)

Patch Installation

All patches deployed in DMACC IT infrastructure (pre-production and production environment) must be performed as per change management process.

The DMACC IST and vendors shall check whether the patch installation affects the operating system or application’s functionality in a test environment, wherever applicable.

If the tested patch is successful, it can be applied on the production environment, only after an approval from the DMACC IST as per the change management process.

The implementation of patches must be planned to ensure that it does not affect the performance of other IT systems and applications in any way.

The following plans shall be documented as part of the process for an effective patch installation activity:

• Implementation Plan
• Backup Plan
• Roll Back Plan

Patch Tracking

The DMACC IST shall maintain a patch tracking with patch management system which shall detail the list of patches that have been installed and the ones that are scheduled. Unapproved patches shall also be listed in Patch Tracking Chart with business justification.

Audit and Assessment

The DMACC IST shall review the installation of the security patches every quarter by carrying out internal vulnerability assessment on all the desktops, laptops, servers, application, networking devices and security devices in a staged manner. This is to ensure that all patches which are not installed can be tracked for future reference.

Centralized Patch Management System

A centralized patch management system shall be in place to ensure patches are applied on desktops in a timely fashion.

Applying patches to servers, applications, database, and network devices can be done either manually or automated using the patch management system.

Ensure new machines are deployed into production environment as per Secure Configuration Standards and once all the latest patches identified in the patch tracking sheet are installed.