for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.
Document Control S/L Type of Information Document Data 1. Document Title 2. Document Code 3. Date of Release 4. Next Review Date 5. Document Revision Number 6. Document Owner 7. Document Author(s) 8. Document Reference Document Approval Sr. No. Document Approver Approver Designation Approver E-mail ID Document Change History Version No. Revision Date Nature of Change Date of Approval For Internal Use Only Page 2 of 13
Table of Contents 1. INTRODUCTION... 4 2. SCOPE... 4 3. PURPOSE... 4 4. ROLES AND RESPONSIB ILITIES... Error! Bookmark not defined. 5. INCIDENTS AND INCIDE NT RESPONSE... 5 6. CLASSIFICATION OF SE CURITY INCIDENTS... Error! Bookmark not defined. 6.1 INCIDENT CATEGORY... Error! Bookmark not defined. 6.2 INCIDENT TYPE... Error! Bookmark not defined. 7. RECORDING AND ROUTIN G AN INFORMATION SEC URITY INCIDENT... Error! Bookmark not defined. 8. RESOLVING SECURITY INCIDNET... Error! Bookmark not defined. 8.1 IT SECURITY INCIDENT... Error! Bookmark not defined. 8.2 NON IT INCIDENT... Error! Bookmark not defined. 9. CLOSING SECURITY INCIDENTS... Error! Bookmark not defined. 10. ESCALATION M ATRIX... Error! Bookmark not defined. 11. POST IMPLEM ENTATION REVIEW... Error! Bookmark not defined. 12. REFERENCE... Error! Bookmark not defined. For Internal Use Only Page 3 of 13
1. INTRODUCTION The objective of Management Procedure is to control the deployment and maintenance of interim software releases into production environments. Effective Management maintains operational efficiency and effectiveness, overcome security vulnerabilities and maintains the stability of production environment. Assessing and maintaining the integrity of software in a networked environment through a well-defined patch management program is the key first step toward successful information security. 2. SCOPE management is designed to give an organization control over the software updates it deploys. Any organization planning to patch its operational environment should ensure that it has: Tools and technologies that are most appropriate for effective patch management. Effective project management processes. This document applies to all IT Infrastructures, applications used for e Gov service deivery 3. PURPOSE The objective of Management Procedure is to control the deployment and maintenance of interim software releases into production environments. Effective Management maintains operational efficiency and effectiveness, overcome security vulnerabilities and maintains the stability of production environment. Assessing and maintaining the integrity of software in a networked environment through a well-defined patch management program is the key first step toward successful information security. For Internal Use Only Page 4 of 13
4. DEFINITIONS Vulnerability This term characterises the absence or weakness of a risk-reducing safeguard. It is a condition that has the potential to allow a threat to occur frequently, with great impact, or both. Threat agent - The person or process attacking a system by exploiting its vulnerabilities to violate confidentiality, integrity and availability. Attack - A threat agent attempting to take advantage of vulnerabilities for unexpected/malicious purposes. Countermeasure - Software configurations, hardware, or procedures that reduce risk of getting exploited in an information system. It is also called safeguard. For Internal Use Only Page 5 of 13
5. PARCH MANAGEMENT PROCESS 5.1 PATCH MANAGEMENT PROCESS FLOW Management Input/Output Model Input Process Output Implementation Schedule Management Database Management Baselines & Profiles Preventive & Corrective Actions Implementation Reports Input Required For Internal Use Only Page 6 of 13
The key inputs to the Management process are: Scheduled patches to be deployed at e-gov Preventive or Corrective actions arising from identified incidents may require updation of patches on e-gov assets/applications used for e-gov service delivery. Output Generated The outputs from the Management process are: List of all successfully deployed patches on e-gov assets/applications shall need to be maintained in a centralised Management Database. Post successful deployment of certain critical patches, the baselines/profiles of servers/applications may be revised and updated. Management Tracker is Updated and closed. It has the list of es updated successfully and also the list of patches not deployed along with reasons. 5.2 PATCH MANAGEMENT PROCESS FLOWCHART Due diligence is exercised by the Management team to ensure that patch deployments are carried out in a timely manner. management process has a five-phase approach to manage patch deployments, which is designed to give control over the deployment and maintenance of interim software releases for software utilities, network appliances, operating systems and applications being used within e-gov service delivery For Internal Use Only Page 7 of 13
PMP01 Measurement and Assessment PMP02 PMP05 Identification and Classification Validation and Recording PMP03 PMP04 Estimation and Preparation Implementation Following is a brief description of the five phases. Measurement and Assessment (PMP01): Measurement and Assessment is the identification of current status of patch deployment in production environment. The outcome of this step is the list of security threats and vulnerabilities that e-gov service delivery might face and whether it is geared to respond appropriately. Identification and Classification (PMP02): Identification and Classification is reliable discovery of new software updates and deciding whether new software updates are relevant to the e-gov service delivery environment. It is important to classify the type of software updates and determine the type of change a software update represents. For Internal Use Only Page 8 of 13
Severity Rating: Defined severity rating is used within the organization. Severity rating is applicable to all e-gov service delivery equipment (Servers, Application and network devices). Severity rating is decided by Manager. This helps determine the urgency of addressing vulnerabilities and deploying related updates. The following table lists the ratings used by the organization to classify the severity of a vulnerability and associated update. Rating Definition A publicly disclosed vulnerability whose exploitation could allow the propagation of an Internet worm without user action or whose High Severity exploitation could result in compromise of the confidentiality, integrity, or availability of user s data, or of the integrity or availability of processing resources. Medium Severity Exploitability is mitigated to a significant degree by factors such as default configuration, auditing or difficulty of exploitation. Low Severity Vulnerability whose exploitation is extremely difficult or whose impact is minimal. Estimation and Preparation (PMP03): Estimation and preparation is the evaluation and planning phase of patch management process. Estimation refers to the decision whether to deploy the software update or not. In addition to that, testing the software update in a production-like environment is required to validate the after-effects of patch deployment. Preparation is the planning for the type of process, technology and skills required to deploy software update and making a schedule for implementation. Taking approval for patch implementation also comes under this phase. For Internal Use Only Page 9 of 13
Management Schedule preparation: Steps 1 Definition Advisories are received and authenticated from respective sources Measurement As received Target 2 4 Advisories are validated for applicability and forwarded to Implementer. Number of patches that cannot be applied within due date. Within 1 Business Day Within 15 Business days 5 Change Management Process Change Management to be followed before applying patches Implementation (PMP04): Implementation is the successful deployment of the approved patches into the organisation s environment according to the plan prepared in the Estimation and Preparation phase Validation and Recording (PMP05): Validation and Recording is the monitoring and reporting activity, post deployment of the patch. This phase also acts as a closure for the patch management process. For Internal Use Only Page 10 of 13
5.3 PATCH MANAGEMENT PROCEDURE DETAILS Management No Implementer START Conduct Testing Is the test sucessful? No Communicate results to Manager Is it a retest? Communicate to Manager Implement and communicate to Implementation Team Lead Implementation Team Lead Receive Report from Software Prepare Implementation Schedule & Communicate to Team No No Inform Users of Update Timings and Schedule. Update Implementati on Tracker Manager Get issue resolved in consultation with vendor. Approve Tests & CR Form? Yes Conduct Weekly review meeting to review and close Implementation Tracker Stop Change Manager Yes Approve? Following steps should befollowed at e-gov service delivery for Management Procedure: The Implementation Team Lead decides on the schedule of the es in consultation with the Manager. Based on the schedule, the team tests the es on test beds. For Internal Use Only Page 11 of 13
Once the test is successful the results are communicated to the Manager and the results implemented after his approval and the approval of the change manager on a schedule communicated to users. The Implementation Lead updates the Management Tracker with the data. If the test is unsuccessful then the testing is retried under the guidance of Implementation Team Lead. If the test fails repeatedly then the Manager is informed. The Manager in co-ordination with the team contacts the Vendor. Vendor suggestions are sought for the implementation of patch. Once vendor has suggestions are incorporated. Testing is done again and results implemented if the tests are successful. If the tests fail again then the update is not carried out and the same is documented in the Management Tracker. Regular and periodic team meetings are held to review the management issues and schedules. For Desktops- Work Stations auto update facility is used and the above mentioned process is not used. 6. ROLES AND RESPONSIBILITIES Role Manager Responsibilities Receive the test results of patches from patch implementer and decide whether the test report is satisfactory or not. Approve Deployment Co-ordinate with Vendor to resolve sticky/complicated Management issues. Hold regular patch review meetings. Prepare a list of overdue patches. Review and close the list of not deployed patch. For Internal Use Only Page 12 of 13
Role Implementation Lead Responsibilities Coordinate with the Manager to decide on Scheduling. Update Management tracker. Work in close coordination with patch implementers for patches that have issues. Implementer Receive the patch advisory from the Manager. Receive the Updation Schedule from the Implementation team lead. Obtain the patches from the designated Trusted Source/ Vendor as per advisory. Install and verify the patch on Test bed. Provide the patch test results to the Manager. As per Change Management Procedure, deploy the patch and prepare the Updation Report. 7. PROCESS DEPENDENCY AND REFERENCE Incident Management Procedure Change Management Procedure For Internal Use Only Page 13 of 13