The Department of Technology Services is responsible for installing and managing security controls and technologies on behalf of the State of Utah.



Similar documents
UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

STATE OF NEW JERSEY IT CIRCULAR

Patch and Vulnerability Management Program

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

Personally Identifiable Information (PII) Breach Response Policy

CDM Hardware Asset Management (HWAM) Capability

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

eguide: Designing a Continuous Response Architecture 5 Steps For Windows Server 2003 End of Life Success

Information Security Program

The Value of Vulnerability Management*

Information Security Program Management Standard

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

September 2005 Report No FDIC s Information Technology Configuration Management Controls Over Operating System Software

Patch Management Procedure. Andrew Marriott PATCH MANAGEMENT PROCEDURE.DOCX Version: 1.1

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

The following are responsible for the accuracy of the information contained in this document:

Information Technology Security Review April 16, 2012

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

R345, Information Technology Resource Security 1

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Data Management Policies. Sage ERP Online

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

SMITHSONIAN INSTITUTION

The Protection Mission a constant endeavor

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

Accepting Payment Cards and ecommerce Payments

LANDESK SOLUTION BRIEF. Patch Management

Enterprise Security and Risk Management Office Risk Management Services. Risk Assessment Questionnaire. March 22, 2011 Revision 1.

How To Ensure The C.E.A.S.A

933 COMPUTER NETWORK/SERVER SECURITY POLICY

Patching Off-the-Shelf Software Used in Medical Information Systems

CONTROLLED DOCUMENT. Traffic Management Policy

Information Blue Valley Schools FEBRUARY 2015

Server Management-Scans & Patches

Information Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives

Goals. Understanding security testing

AHS Flaw Remediation Standard

APPENDIX 3 TO SCHEDULE 3.3 SECURITY SERVICES SOW

Logging In: Auditing Cybersecurity in an Unsecure World

Cyber security tackling the risks with new solutions and co-operation Miikka Pönniö

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Department of Homeland Security

Governance, Risk, and Compliance (GRC) White Paper

PCI DSS Top 10 Reports March 2011

Network & Information Security Policy

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

Making Database Security an IT Security Priority

Oregon Public Employees Retirement System

Information Technology &

Attachment A. Identification of Risks/Cybersecurity Governance

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Security Plan May 24, 2011

Data Security Incident Response Plan. [Insert Organization Name]

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

Client Security Risk Assessment Questionnaire

Virtual Private Networks (VPN) Connectivity and Management Policy

End-user Security Analytics Strengthens Protection with ArcSight

How To Audit The Mint'S Information Technology

Department of Education. Network Security Controls. Information Technology Audit

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Strategic Plan

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Part Banker. Part Geek. All Security & Compliance.

Firewall Access Request Form

Standard CIP Cyber Security Systems Security Management

OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:

Data Center Colocation - SLA

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

Final Audit Report -- CAUTION --

Information Security Program CHARTER

ABB s approach concerning IS Security for Automation Systems

ELECTRONIC INFORMATION SECURITY A.R.

Auburn Montgomery. Registration and Security Policy for AUM Servers

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Wright State University Information Security

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Domain 5 Information Security Governance and Risk Management

Sample Vulnerability Management Policy

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

Accounting and Administrative Manual Section 100: Accounting and Finance

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Frequently Asked Questions

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Document Title: System Administrator Policy

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

INFORMATION AND PRIVACY COMMISSIONER OF ALBERTA

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

ISAAC Risk Assessment Training

Indiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002

2.1.2 CARDHOLDER DATA SECURITY

Transcription:

DTS Standard 5000-1002-S1 PATCH MANAGEMENT SECURITY STANDARD Status: Approved Effective Date: August 26, 2009 through August 25, 2011 Revised Date: N/A Approved By: J. Stephen Fletcher Authority: UCA 63F-1-103; Utah Administrative Code, R895-7 Acceptable Use of Information Technology Resources; Utah Administrative Code, R477-11 Discipline S1.1 Purpose The purpose of this standard is to define and establish the State of Utah s requirements to ensure that systems do not pose an unmanaged security risk for the State of Utah network, by ensuring applicable and required security patches are applied in a timely and effective manner. S1.1.1 Background This standard covers the requirements for software patch management. Patch management is the people, procedures and technology responsible for keeping computers current with updates developed for an existing software product. Security patch management is patch management with a focus on reducing security vulnerabilities. Patch Management is not a defensive procedure in reaction to critical incidents. There are emergencies that warrant such cases, but security patch management should primarily be a proactive procedure for keeping the environment secure and reliable. Security patch management as a functioning procedure ensures that all identified software updates are in place, thereby eliminating vulnerabilities from the environment and mitigating the risk of computers being compromised. The Department of Technology Services is responsible for installing and managing security controls and technologies on behalf of the State of Utah. S1.1.2 Scope This standard applies to all agencies and administrative subunits of state government as defined by UCA 63F-1-102(7), et seq. S1.1.3 Exceptions The Chief Information Officer, or authorized designee, may acknowledge that under rare circumstances, certain associates will need to employ systems 5000-1002-S1.20090826 1

that are not compliant with these standards. The Chief Information Officer, or authorized designee, must approve in writing all such instances. In such cases, a business case for non-compliance must be established and the request for exemption must be approved in advance through a risk acceptance review. The risk acceptance business case requires approval by the Information Owner (Agency Executive Director/Commissioner) or authorized designee, the Chief Information Officer or authorized designee, and the Enterprise Information Security Office. S1.2 Definitions Asset Custodian The IT staff entrusted with administering and protecting specific electronic information resources and assets. Asset Owner The IT staff entrusted with administering and protecting specific electronic information resources and assets (Application Owner). Information Steward The individual responsible and accountable for assets entrusted to their care. Within the State s enterprise information security framework, executive directors are designated as the stewards responsible for the State s information assets. Information Custodian An individual entrusted with administering and protecting information resources and assets. Within the State s enterprise security framework, the State s Chief Information Officer (CIO) is designated as the chief information custodian of the State s electronic information resources and assets. S1.3 Standards S1.3.1 Automatic Scanning S1.3.1.1 Enterprise Information Security Staff will at a minimum, audit all networked computers monthly to determine the need for security patches. Automatic scanning systems administered from a central site, are superior to manual patching methods. It must be possible to scan by: IP Ranges and Machine Name. S1.3.1.1 Applies to the following classification of systems: 5000-1002-S1.20090826 2

S1.3.1.2 Automated scanning and deployment (patch management) systems must be able to provide list of: Missing patches and or Services Packs; OS versions; Patches that were successfully applied; and Patches that could not be applied. S1.3.1.2 Applies to the following classification of systems: S1.3.2 Patch Approval Process Security patches may cause an application to malfunction, or other unexpected problems, patches must be scheduled using the current enterprise change management system. S1.3.2.1 When a new security patch is announced and released the Enterprise Information Security Staff will work with the asset custodian to determine the risk associated with the patch. S1.3.2.2 A risk level will be assigned to the security patch based on the vulnerability procedure process. S1.3.2.3 The asset custodian will test the patch and based on the risk level apply the patches accordingly. S1.3.2.4 The asset custodian will notify the change management group using the standard change request process. S1.3.2.5 Once the customers affected by the patch are notified and change management has approved the update, the patch will be applied. S1.3.2.6 It is the asset or application owner responsibility to resolve any incompatibility with the applications development or vendor. S1.3.2 Applies to the following classification of systems: 5000-1002-S1.20090826 3

S1.3.3 Proactive Vulnerability Management Activities Specific security activities will be scheduled and conducted by the Enterprise Information Security Office on a regular ongoing basis to identify, evaluate, and reduce vulnerabilities within the enterprise. Specific tasks include: S1.3.3.1 Quarterly, vulnerability management will run reports showing the machines that are out of compliance with the current recommend patches levels. S1.3.3.2 Quarterly, vulnerability management will scan the network to identify any new devices that are not detected by the patch management software. S1.3.3.3 Quarterly, vulnerability management will run scans of the network to identify those machines that may have other vulnerabilities, unnecessary services or are susceptible to possible threats. S1.3.3 Applies to the following classification of systems: S1.4 Document History Originator: Michael Casey, Chief Information Security Officer Next Review: August 25, 2010 Reviewed Date: N/A Reviewed By: N/A S1.4.1 Document Information Property/Name Classification Policy Reference Value For Official Use Only 5000-1000 System and Information Integrity Policy 5000-1002 Patch Management Security Policy S1.4.2 Revision History Author Description Purpose Date Modified Vers. # M Allred M Casey N/A Establish initial standard Update to enterprise organizational changes 5/17/07 1.0 04/30/2009 1.1 5000-1002-S1.20090826 4

M Casey Update incorporating Security Administration review and comments 07/1/2009 1.2 S1.4.3 Regulatory and Legal Index Regulatory References Legal References DTS Representative Signature: Name (Printed): Date: Stephen Fletcher Title (Printed): CIO/ DTS Executive Director 5000-1002-S1.20090826 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information