Patch Management Procedure. e-governance

Similar documents
Information Security Incident Management Guidelines. e-governance

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Security Testing and Vulnerability Management Process. e-governance

Network Security Guidelines. e-governance

e-governance Password Management Guidelines Draft 0.1

Remote Access Procedure. e-governance

E-gov Asset Handling and Labelling Guidelines

Patch Management Procedure. Andrew Marriott PATCH MANAGEMENT PROCEDURE.DOCX Version: 1.1

The Value of Vulnerability Management*

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

Office of Inspector General

MWR InfoSecurity Security Advisory. Symantec s Altiris Deployment Solution File Transfer Race Condition. 7 th January 2010

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Application Security Framework. e-governance

Change Management Process

External Supplier Control Requirements

NIST National Institute of Standards and Technology

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

Service Children s Education

Guideline on Vulnerability and Patch Management

How To Use Qqsguard At The University Of Minneapolis

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & TECHNOLOGY (IJCET)

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

STATE OF ARIZONA Department of Revenue

UMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

How To Manage A Patch Management Process

Data Management Policies. Sage ERP Online

Security Patch Management

Information Security Program CHARTER

05.0 Application Development

Computer Security Incident Response Team

Third Party Security Guidelines. e-governance

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

APPENDIX 3 TO SCHEDULE 3.3 SECURITY SERVICES SOW

Vulnerability Management Policy

Computer Security Incident Response Team

Goals. Understanding security testing

Infrastructure Information Security Assurance (ISA) Process

Patch Management Policy

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Information Security. Incident Management Program. What is an Incident Management Program? Why is it needed?

STATE OF NEW JERSEY IT CIRCULAR

Ohio Supercomputer Center

IBM Managed Security Services Vulnerability Scanning:

UBC Incident Response Plan

How To Ensure The C.E.A.S.A

Central Agency for Information Technology

How To Audit The Mint'S Information Technology

Feedback Ferret. Security Incident Response Plan

LogRhythm and NERC CIP Compliance

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Fortinet Solutions for Compliance Requirements

Information Technology Security Review April 16, 2012

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Information security controls. Briefing for clients on Experian information security controls

Incident Response Plan for PCI-DSS Compliance

Microsoft Baseline Security Analyzer (MBSA)

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Incident Response Team Responsibilities

Information Security Office

Acceptable Usage Guidelines. e-governance

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Guide to Vulnerability Management for Small Companies

PATCH MANAGEMENT POLICY IT-P-016

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Summary of CIP Version 5 Standards

Obtaining Enterprise Cybersituational

E Governance Security Standards Framework:

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Cyril Onwubiko Networking and Communications Group ncg.kingston.ac.

DIVISION OF INFORMATION SECURITY (DIS)

Securing the Service Desk in the Cloud

ICSA Labs Web Application Firewall Certification Testing Report Web Application Firewall - Version 2.1 (Corrected) Radware Inc. AppWall V5.6.4.

Computer Security: Principles and Practice

Vulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011

SUPPLIER SECURITY STANDARD

Standard: Vulnerability Management and Assessment

U.S. SECURITIES & EXCHANGE COMMISSION

Policy Title: HIPAA Security Awareness and Training

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Asset management guidelines

Implementing Security Update Management

Understanding changes to the Trust Services Principles for SOC 2 reporting

Common Cyber Threats. Common cyber threats include:

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

NCUA LETTER TO CREDIT UNIONS

Overview of Service Support & Service

Information Technology Policy

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

MANAGED FIREWALL SERVICE. Service definition

UTH ihltli. The University of Texas Health Science Center at Houston. July 10, Report on Exchange System Audit #15-206

PATCH MANAGEMENT POLICY PATCH MANAGEMENT POLICY. Page 1 of 5

Transcription:

for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.

Document Control S/L Type of Information Document Data 1. Document Title 2. Document Code 3. Date of Release 4. Next Review Date 5. Document Revision Number 6. Document Owner 7. Document Author(s) 8. Document Reference Document Approval Sr. No. Document Approver Approver Designation Approver E-mail ID Document Change History Version No. Revision Date Nature of Change Date of Approval For Internal Use Only Page 2 of 13

Table of Contents 1. INTRODUCTION... 4 2. SCOPE... 4 3. PURPOSE... 4 4. ROLES AND RESPONSIB ILITIES... Error! Bookmark not defined. 5. INCIDENTS AND INCIDE NT RESPONSE... 5 6. CLASSIFICATION OF SE CURITY INCIDENTS... Error! Bookmark not defined. 6.1 INCIDENT CATEGORY... Error! Bookmark not defined. 6.2 INCIDENT TYPE... Error! Bookmark not defined. 7. RECORDING AND ROUTIN G AN INFORMATION SEC URITY INCIDENT... Error! Bookmark not defined. 8. RESOLVING SECURITY INCIDNET... Error! Bookmark not defined. 8.1 IT SECURITY INCIDENT... Error! Bookmark not defined. 8.2 NON IT INCIDENT... Error! Bookmark not defined. 9. CLOSING SECURITY INCIDENTS... Error! Bookmark not defined. 10. ESCALATION M ATRIX... Error! Bookmark not defined. 11. POST IMPLEM ENTATION REVIEW... Error! Bookmark not defined. 12. REFERENCE... Error! Bookmark not defined. For Internal Use Only Page 3 of 13

1. INTRODUCTION The objective of Management Procedure is to control the deployment and maintenance of interim software releases into production environments. Effective Management maintains operational efficiency and effectiveness, overcome security vulnerabilities and maintains the stability of production environment. Assessing and maintaining the integrity of software in a networked environment through a well-defined patch management program is the key first step toward successful information security. 2. SCOPE management is designed to give an organization control over the software updates it deploys. Any organization planning to patch its operational environment should ensure that it has: Tools and technologies that are most appropriate for effective patch management. Effective project management processes. This document applies to all IT Infrastructures, applications used for e Gov service deivery 3. PURPOSE The objective of Management Procedure is to control the deployment and maintenance of interim software releases into production environments. Effective Management maintains operational efficiency and effectiveness, overcome security vulnerabilities and maintains the stability of production environment. Assessing and maintaining the integrity of software in a networked environment through a well-defined patch management program is the key first step toward successful information security. For Internal Use Only Page 4 of 13

4. DEFINITIONS Vulnerability This term characterises the absence or weakness of a risk-reducing safeguard. It is a condition that has the potential to allow a threat to occur frequently, with great impact, or both. Threat agent - The person or process attacking a system by exploiting its vulnerabilities to violate confidentiality, integrity and availability. Attack - A threat agent attempting to take advantage of vulnerabilities for unexpected/malicious purposes. Countermeasure - Software configurations, hardware, or procedures that reduce risk of getting exploited in an information system. It is also called safeguard. For Internal Use Only Page 5 of 13

5. PARCH MANAGEMENT PROCESS 5.1 PATCH MANAGEMENT PROCESS FLOW Management Input/Output Model Input Process Output Implementation Schedule Management Database Management Baselines & Profiles Preventive & Corrective Actions Implementation Reports Input Required For Internal Use Only Page 6 of 13

The key inputs to the Management process are: Scheduled patches to be deployed at e-gov Preventive or Corrective actions arising from identified incidents may require updation of patches on e-gov assets/applications used for e-gov service delivery. Output Generated The outputs from the Management process are: List of all successfully deployed patches on e-gov assets/applications shall need to be maintained in a centralised Management Database. Post successful deployment of certain critical patches, the baselines/profiles of servers/applications may be revised and updated. Management Tracker is Updated and closed. It has the list of es updated successfully and also the list of patches not deployed along with reasons. 5.2 PATCH MANAGEMENT PROCESS FLOWCHART Due diligence is exercised by the Management team to ensure that patch deployments are carried out in a timely manner. management process has a five-phase approach to manage patch deployments, which is designed to give control over the deployment and maintenance of interim software releases for software utilities, network appliances, operating systems and applications being used within e-gov service delivery For Internal Use Only Page 7 of 13

PMP01 Measurement and Assessment PMP02 PMP05 Identification and Classification Validation and Recording PMP03 PMP04 Estimation and Preparation Implementation Following is a brief description of the five phases. Measurement and Assessment (PMP01): Measurement and Assessment is the identification of current status of patch deployment in production environment. The outcome of this step is the list of security threats and vulnerabilities that e-gov service delivery might face and whether it is geared to respond appropriately. Identification and Classification (PMP02): Identification and Classification is reliable discovery of new software updates and deciding whether new software updates are relevant to the e-gov service delivery environment. It is important to classify the type of software updates and determine the type of change a software update represents. For Internal Use Only Page 8 of 13

Severity Rating: Defined severity rating is used within the organization. Severity rating is applicable to all e-gov service delivery equipment (Servers, Application and network devices). Severity rating is decided by Manager. This helps determine the urgency of addressing vulnerabilities and deploying related updates. The following table lists the ratings used by the organization to classify the severity of a vulnerability and associated update. Rating Definition A publicly disclosed vulnerability whose exploitation could allow the propagation of an Internet worm without user action or whose High Severity exploitation could result in compromise of the confidentiality, integrity, or availability of user s data, or of the integrity or availability of processing resources. Medium Severity Exploitability is mitigated to a significant degree by factors such as default configuration, auditing or difficulty of exploitation. Low Severity Vulnerability whose exploitation is extremely difficult or whose impact is minimal. Estimation and Preparation (PMP03): Estimation and preparation is the evaluation and planning phase of patch management process. Estimation refers to the decision whether to deploy the software update or not. In addition to that, testing the software update in a production-like environment is required to validate the after-effects of patch deployment. Preparation is the planning for the type of process, technology and skills required to deploy software update and making a schedule for implementation. Taking approval for patch implementation also comes under this phase. For Internal Use Only Page 9 of 13

Management Schedule preparation: Steps 1 Definition Advisories are received and authenticated from respective sources Measurement As received Target 2 4 Advisories are validated for applicability and forwarded to Implementer. Number of patches that cannot be applied within due date. Within 1 Business Day Within 15 Business days 5 Change Management Process Change Management to be followed before applying patches Implementation (PMP04): Implementation is the successful deployment of the approved patches into the organisation s environment according to the plan prepared in the Estimation and Preparation phase Validation and Recording (PMP05): Validation and Recording is the monitoring and reporting activity, post deployment of the patch. This phase also acts as a closure for the patch management process. For Internal Use Only Page 10 of 13

5.3 PATCH MANAGEMENT PROCEDURE DETAILS Management No Implementer START Conduct Testing Is the test sucessful? No Communicate results to Manager Is it a retest? Communicate to Manager Implement and communicate to Implementation Team Lead Implementation Team Lead Receive Report from Software Prepare Implementation Schedule & Communicate to Team No No Inform Users of Update Timings and Schedule. Update Implementati on Tracker Manager Get issue resolved in consultation with vendor. Approve Tests & CR Form? Yes Conduct Weekly review meeting to review and close Implementation Tracker Stop Change Manager Yes Approve? Following steps should befollowed at e-gov service delivery for Management Procedure: The Implementation Team Lead decides on the schedule of the es in consultation with the Manager. Based on the schedule, the team tests the es on test beds. For Internal Use Only Page 11 of 13

Once the test is successful the results are communicated to the Manager and the results implemented after his approval and the approval of the change manager on a schedule communicated to users. The Implementation Lead updates the Management Tracker with the data. If the test is unsuccessful then the testing is retried under the guidance of Implementation Team Lead. If the test fails repeatedly then the Manager is informed. The Manager in co-ordination with the team contacts the Vendor. Vendor suggestions are sought for the implementation of patch. Once vendor has suggestions are incorporated. Testing is done again and results implemented if the tests are successful. If the tests fail again then the update is not carried out and the same is documented in the Management Tracker. Regular and periodic team meetings are held to review the management issues and schedules. For Desktops- Work Stations auto update facility is used and the above mentioned process is not used. 6. ROLES AND RESPONSIBILITIES Role Manager Responsibilities Receive the test results of patches from patch implementer and decide whether the test report is satisfactory or not. Approve Deployment Co-ordinate with Vendor to resolve sticky/complicated Management issues. Hold regular patch review meetings. Prepare a list of overdue patches. Review and close the list of not deployed patch. For Internal Use Only Page 12 of 13

Role Implementation Lead Responsibilities Coordinate with the Manager to decide on Scheduling. Update Management tracker. Work in close coordination with patch implementers for patches that have issues. Implementer Receive the patch advisory from the Manager. Receive the Updation Schedule from the Implementation team lead. Obtain the patches from the designated Trusted Source/ Vendor as per advisory. Install and verify the patch on Test bed. Provide the patch test results to the Manager. As per Change Management Procedure, deploy the patch and prepare the Updation Report. 7. PROCESS DEPENDENCY AND REFERENCE Incident Management Procedure Change Management Procedure For Internal Use Only Page 13 of 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information