The Department of Technology Services is responsible for installing and managing security controls and technologies on behalf of the State of Utah.

Transcription

1 DTS Standard S1 PATCH MANAGEMENT SECURITY STANDARD Status: Approved Effective Date: August 26, 2009 through August 25, 2011 Revised Date: N/A Approved By: J. Stephen Fletcher Authority: UCA 63F-1-103; Utah Administrative Code, R895-7 Acceptable Use of Information Technology Resources; Utah Administrative Code, R Discipline S1.1 Purpose The purpose of this standard is to define and establish the State of Utah s requirements to ensure that systems do not pose an unmanaged security risk for the State of Utah network, by ensuring applicable and required security patches are applied in a timely and effective manner. S1.1.1 Background This standard covers the requirements for software patch management. Patch management is the people, procedures and technology responsible for keeping computers current with updates developed for an existing software product. Security patch management is patch management with a focus on reducing security vulnerabilities. Patch Management is not a defensive procedure in reaction to critical incidents. There are emergencies that warrant such cases, but security patch management should primarily be a proactive procedure for keeping the environment secure and reliable. Security patch management as a functioning procedure ensures that all identified software updates are in place, thereby eliminating vulnerabilities from the environment and mitigating the risk of computers being compromised. The Department of Technology Services is responsible for installing and managing security controls and technologies on behalf of the State of Utah. S1.1.2 Scope This standard applies to all agencies and administrative subunits of state government as defined by UCA 63F-1-102(7), et seq. S1.1.3 Exceptions The Chief Information Officer, or authorized designee, may acknowledge that under rare circumstances, certain associates will need to employ systems S

2 that are not compliant with these standards. The Chief Information Officer, or authorized designee, must approve in writing all such instances. In such cases, a business case for non-compliance must be established and the request for exemption must be approved in advance through a risk acceptance review. The risk acceptance business case requires approval by the Information Owner (Agency Executive Director/Commissioner) or authorized designee, the Chief Information Officer or authorized designee, and the Enterprise Information Security Office. S1.2 Definitions Asset Custodian The IT staff entrusted with administering and protecting specific electronic information resources and assets. Asset Owner The IT staff entrusted with administering and protecting specific electronic information resources and assets (Application Owner). Information Steward The individual responsible and accountable for assets entrusted to their care. Within the State s enterprise information security framework, executive directors are designated as the stewards responsible for the State s information assets. Information Custodian An individual entrusted with administering and protecting information resources and assets. Within the State s enterprise security framework, the State s Chief Information Officer (CIO) is designated as the chief information custodian of the State s electronic information resources and assets. S1.3 Standards S1.3.1 Automatic Scanning S Enterprise Information Security Staff will at a minimum, audit all networked computers monthly to determine the need for security patches. Automatic scanning systems administered from a central site, are superior to manual patching methods. It must be possible to scan by: IP Ranges and Machine Name. S Applies to the following classification of systems: S

3 S Automated scanning and deployment (patch management) systems must be able to provide list of: Missing patches and or Services Packs; OS versions; Patches that were successfully applied; and Patches that could not be applied. S Applies to the following classification of systems: S1.3.2 Patch Approval Process Security patches may cause an application to malfunction, or other unexpected problems, patches must be scheduled using the current enterprise change management system. S When a new security patch is announced and released the Enterprise Information Security Staff will work with the asset custodian to determine the risk associated with the patch. S A risk level will be assigned to the security patch based on the vulnerability procedure process. S The asset custodian will test the patch and based on the risk level apply the patches accordingly. S The asset custodian will notify the change management group using the standard change request process. S Once the customers affected by the patch are notified and change management has approved the update, the patch will be applied. S It is the asset or application owner responsibility to resolve any incompatibility with the applications development or vendor. S1.3.2 Applies to the following classification of systems: S

4 S1.3.3 Proactive Vulnerability Management Activities Specific security activities will be scheduled and conducted by the Enterprise Information Security Office on a regular ongoing basis to identify, evaluate, and reduce vulnerabilities within the enterprise. Specific tasks include: S Quarterly, vulnerability management will run reports showing the machines that are out of compliance with the current recommend patches levels. S Quarterly, vulnerability management will scan the network to identify any new devices that are not detected by the patch management software. S Quarterly, vulnerability management will run scans of the network to identify those machines that may have other vulnerabilities, unnecessary services or are susceptible to possible threats. S1.3.3 Applies to the following classification of systems: S1.4 Document History Originator: Michael Casey, Chief Information Security Officer Next Review: August 25, 2010 Reviewed Date: N/A Reviewed By: N/A S1.4.1 Document Information Property/Name Classification Policy Reference Value For Official Use Only System and Information Integrity Policy Patch Management Security Policy S1.4.2 Revision History Author Description Purpose Date Modified Vers. # M Allred M Casey N/A Establish initial standard Update to enterprise organizational changes 5/17/ /30/ S

5 M Casey Update incorporating Security Administration review and comments 07/1/ S1.4.3 Regulatory and Legal Index Regulatory References Legal References DTS Representative Signature: Name (Printed): Date: Stephen Fletcher Title (Printed): CIO/ DTS Executive Director S