Scribd
Upload
2K views4 pages

Patch Management Policy and Procedure

This document provides a patch management policy and procedure to maintain network integrity by applying security updates. It defines responsibilities for patching systems and applications. The process scans for patches, downloads and deploys them, verifies services, and reports results. Exceptions require justification and compensating controls.

Uploaded by

tbt32
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2K views4 pages

Patch Management Policy and Procedure

This document provides a patch management policy and procedure to maintain network integrity by applying security updates. It defines responsibilities for patching systems and applications. The process scans for patches, downloads and deploys them, verifies services, and reports results. Exceptions require justification and compensating controls.

Uploaded by

tbt32
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Patch Management Policy and Procedure

About this Document


Liaison's Patch Management Policy and Procedure provides the processes and guidelines necessary to:

1. Maintain the integrity of network systems and data by applying the latest operating system and application security
updates/patches in a timely manner
2. Establish a baseline methodology and timeframe for patching and confirming patch management compliance

Desktops, laptops, servers, applications, and network devices represent access points to sensitive and confidential
company data, as well as access to technology resources and services. Ensuring updates and patches are distributed
and implemented in a timely manner is essential to maintain system stability and mitigate malware, exploitation, and
security threats.

The processes addressed in this policy affect all company managed systems, including desktops, laptops, servers,
network devices, and applications that connect to the company network.

Responsibility

Responsibility Role

Review and approve changes to the Patch Management Policy and


IT Director and the CFO
Procedures

Scan for patches (Vulnerability Management Program) IT Security team

Obtain patches for systems IT

Notify teams (QA, DEV, pre-prod and production) of patching schedules


IT
(depending on environment)

Apply patches IT

© Liaison International. All Rights Reserved. 1


Test services after patching QA/Dev Engineer

Notify and report testing results QA/Dev Engineer

QA/Dev Engineer / IT Systems engineer /


Remediate issues, as necessary
IT Security team

Process

1. End-users computers
1. Scan for available patches
2. Download necessary patches from a trusted source (as made available)
3. Schedule deployment
4. Deploy patches

2. Corporate and IT servers and network devices


1. Scan for available patches
2. Download necessary patches from a trusted source (as made available)
3. Deploy patches
4. Verify services
5. Notify and report testing results

3. QA, Integration, Development


1. Scan for available patches
2. Download necessary patches from a trusted source (as made available)
3. Deploy patches
4. Verify services
5. Notify and report testing results

4. Preproduction, Demo and staging


1. Scan for available patches

© Liaison International. All Rights Reserved. 2


2. Download necessary patches from a trusted source (as made available)
3. Deploy patches
4. Verify services
5. Notify and report testing results

5. Production
1. Patches are approved, deployed, and applied in staging
2. Create a change management request one week before the maintenance date
3. The Customer Support team posts a maintenance window on customers’ portal
4. Deploy patches
5. Communicate extended outages to appropriate teams. If outage goes past window, Customer Support must
communicate it to customers
6. Verify services

6. Zero-day and emergency security patching:

Note: The Security team will determine the risk and the relevance of the patch, as well as when the system should be
patched.

1. Create a change management request before the maintenance date


2. Notify users
3. Deploy patches
4. Verify services
5. Notify and report testing results

Exceptions
1. Systems or applications that cannot be patched to resolve a known vulnerability will have the justification
documented by the device/application owner and the necessary compensating control(s) implemented:
◦ Justification:
▪ No vendor patch available
▪ Patch provided by vendor creates instability within the system; instability outweighs the risk.
◦ Compensating Controls
▪ Network segmentation
▪ Access Control Lists
▪ Intrusion Prevention System
2. Systems that transmit or store protected data and cannot be patched to resolve a known vulnerability will be
brought to the attention of the data owner (typically the IT Security manager, IT Director, and the department
Director) and the necessary compensating control(s) will be implemented.

© Liaison International. All Rights Reserved. 3


Patch-Compliance Review Procedure
1. The IT Security team will generate and review patch management/compliance reports on at least a monthly basis
from the company vulnerability management tools.
2. In reviewing the patch reports, The IT Security team will identify unpatched machines that connect to the company
network and either patch or define an exception.
3. IT security will conduct an external vulnerability scan on at least a monthly basis using Nessus to identify known
and potential vulnerabilities with the publicly facing system. Vulnerabilities will be brought to the attention of the
system/application administrator(s) for mitigation.

Security Patching Workflow

© Liaison International. All Rights Reserved. 4

You might also like