UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE



Similar documents
UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY

Patch Management Procedure. Andrew Marriott PATCH MANAGEMENT PROCEDURE.DOCX Version: 1.1

Data Management Policies. Sage ERP Online

How To Monitor A Municipality

UMHLABUYALINGANA MUNICIPALITY

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

UMHLABUYALINGANA MUNICIPALITY IT PERFORMANCE AND CAPACITY MANAGEMENT POLICY

Information and Communication Technology. Patch Management Policy

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

The Value of Vulnerability Management*

IT Security Standard: Patch Management

Virginia Commonwealth University School of Medicine Information Security Standard

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

Patch and Vulnerability Management Program

Vulnerability Management Policy

PATCH MANAGEMENT POLICY IT-P-016

PATCH MANAGEMENT POLICY PATCH MANAGEMENT POLICY. Page 1 of 5

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Patch Management Procedure. e-governance

UMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY

Information Technology Policy

Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada

Title: Security Patch Management

Utica College. Information Security Plan

State of Oregon. State of Oregon 1

Office of Inspector General

Patch Management Policy

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

AHS Flaw Remediation Standard

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

TECHNICAL VULNERABILITY & PATCH MANAGEMENT

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

How To Audit The Mint'S Information Technology

INFORMATION TECHNOLOGY SECURITY STANDARDS

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

INFORMATION SECURITY California Maritime Academy

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

INFORMATION SECURITY Humboldt State University

CITY OF BOULDER *** POLICIES AND PROCEDURES

The Department of Technology Services is responsible for installing and managing security controls and technologies on behalf of the State of Utah.

Summary of CIP Version 5 Standards

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Malicious Mitigation Strategy Guide

Document Title: System Administrator Policy

Using Windows Update for Windows 95/98

Secondary DMZ: DMZ (2)

ISMS Implementation Guide

NCUA LETTER TO CREDIT UNIONS

Egress Switch Best Practice Security Guide V4.x

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

How To Protect Decd Information From Harm

Northwestern University Dell Kace Patch Management

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

UMHLABUYALINGANA MUNICIPALITY

Cyber Security Incident Reporting Scheme

Network & Information Security Policy

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Service Children s Education

MWR InfoSecurity Security Advisory. Symantec s Altiris Deployment Solution File Transfer Race Condition. 7 th January 2010

Introduction. PCI DSS Overview

How To Ensure The C.E.A.S.A

UMHLABUYALINGANA MUNICIPALITY IT CHANGE MANAGEMENT POLICY

Guide to Vulnerability Management for Small Companies

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

WHITE PAPER. Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

ITP01 - Patch Management Policy

Version: 2.0. Effective From: 28/11/2014

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Incident Reporting Guidelines for Constituents (Public)

Information Security Program

Acceptable Usage Policy

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Standard: Information Security Incident Management

IMS-ISA Incident Response Guideline

STATE OF NEW JERSEY IT CIRCULAR

External Supplier Control Requirements

UoB Risk Assessment Methodology

Newcastle University Information Security Procedures Version 3

Infrastructure Information Security Assurance (ISA) Process

Policy Document. Communications and Operation Management Policy

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

Information Security Program Management Standard

Taking a Proactive Approach to Linux Server Patch Management Linux server patching

Client Security Risk Assessment Questionnaire

ACCEPTABLE USAGE PLOICY

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Third Party Identity Services Assurance Framework. Information Security Registered Assessors Program Guide

Standard CIP 007 3a Cyber Security Systems Security Management

Information Security Incident Management Policy and Procedure

Vulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED

Maruleng Local Municipality

Network Security: Policies and Guidelines for Effective Network Management

Cyber Essentials Scheme

Protecting Your Organisation from Targeted Cyber Intrusion

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Transcription:

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Originator Patch Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Recommended by Director of Corporate Services Recommended by EXCO Approved by Council Effective Review Frequency: Once a year (i.e. Annually) Version Number PATCH MANAGEMENT POLICY Page 2 of 12

TABLE OF CONTENTS 1. OVERVIEW... 4 2. PURPOSE... 4 3. SCOPE... 4 4. DEFINITIONS... 4 5. GENERAL POLICY... 5 6. PATCH MANAGEMENT... 5 6.1. IT OFFICER RESPONSIBILITIES... 5 6.2. SERVICE PROVIDER RESPONSIBILITIES... 6 6.3. ALL STAFF & THIRD PARTIES... 6 6.4. THE MUNICIPALITY... 6 6.5. MONITORING... 6 6.6. ASSESSING AND CLASSIFYING RISK... 7 6.7. TESTING... 7 6.8. AUTHORISATION AND NOTIFICATION... 8 6.9. IMPLEMENTATION... 8 6.10. VERIFICATION... 9 7. HOT FIXES... 10 8. ENFORCEMENT... 10 9. APPENDICES... 10 9.1. Appendix A - Patch Control Form... 10 9.2. Appendix B - Monthly Patch Management Compliance Form... 10 PATCH MANAGEMENT POLICY Page 3 of 12

1. OVERVIEW This Policy establishes certain requirements which must be met by all computers and servers connected to the Umhlabuyalingana Municipality network to provide the municipality with a trusted and secure network infrastructure to support the effective delivery of IT resources and mechanisms to help the organisation realise its goals and objectives in maintaining a secure IT environment. It attempts to set standards in terms of patch management. 2. PURPOSE It is the IT Officer's responsibility to ensure that all computer devices (including servers and desktops) that are connected to the Umhlabuyalingana Municipality network have the latest security patches installed. This document describes the management of IT Security/Integrity Patches for the Umhlabuyalingana Municipality. This document provides a common definition of what is required when performing Security Patch Management activities for the Umhlabuyalingana Municipality. 3. SCOPE The scope for this process comprises the following: IT Security/Integrity Patches, which includes Security Updates and Hot Fixes. Systems/Platforms, Middleware and Applications. All software on all platforms and devices. 4. DEFINITIONS Patches - typically released to protect against known exploits in operating system or application code or to address functionality issues or a new vulnerability. Vulnerabilities - weaknesses in software that can be exploited by an entity to gain elevated privileges is authorised to have on a computer or system. Not all vulnerabilities have related patches. These situations require workarounds to attempt to mitigate un-patched vulnerabilities. Threats - A circumstance, event, or person with the potential to cause harm to a system in the form of destruction, disclosure, data modification, and/or Denial of Service (DoS). CERT - CERT is the Internet's official emergency team. CERT focuses on security breach and incidents, providing alerts and incident-handling and avoidance guidelines. CERT also conducts an on-going public awareness campaign and engages in research aimed at improving security systems. PATCH MANAGEMENT POLICY Page 4 of 12

5. GENERAL POLICY 5.1. Regardless of platform or criticality, all patch releases will follow a defined process for patch deployment that includes assessing the risk, testing, approval, installing and verifying. 5.2. Umhlabuyalingana Municipality is committed to complying with applicable compliance laws, rules and standards. 6. PATCH MANAGEMENT 6.1. IT OFFICER RESPONSIBILITIES 6.1.1. The IT Officer must ensure that all IT systems are patched in timely manner as detailed in this policy. 6.1.2. The IT Officer must review current threats and vulnerabilities and check relevant advisories to monitor for patches or fixes to mitigate the risks presented by these threats and vulnerabilities. 6.1.3. The IT Officer must establish and implement a departmental program for patch management on all IT systems. 6.1.4. The IT Officer must ensure that a departmental inventory of hardware and software patch status is developed to maintain and track the status of all patch actions and vulnerability corrections and to provide rapid response to internal or external reporting requirements. 6.1.5. A Patch Management Compliance form (see Appendix B) must be completed by the IT Officer for all patches installed. The IT Officer will take overall responsibility in ensuring that patches are applied. 6.1.6. The IT Officer must report the patch management status of the municipality on a monthly basis to the Executive Director of Corporate Services using the Patch Management Compliance Form. 6.1.7. The IT Officer must develop and publish policy and procedural guidance on patch management. 6.1.8. The IT Officer must monitor patch management on a municipal-wide basis. PATCH MANAGEMENT POLICY Page 5 of 12

6.2. SERVICE PROVIDER RESPONSIBILITIES 6.2.1. The relevant service provider must ensure that security patches/ hot fixes for Abakus and VIP Premier are performed in a timely manner as laid out in this policy. 6.2.2. The relevant service provider must review current threats and vulnerabilities and to check relevant advisories to monitor any potential threats or vulnerabilities. 6.2.3. The relevant service provider must report the patch management status of the municipality on a regular basis to the IT Officer. 6.3. ALL STAFF & THIRD PARTIES 6.3.1. It is the responsibility of each user, both individually and within the municipality, to ensure prudent and responsible use of computing and network resources. 6.3.2. End Users must report any suspected lack of compliance with this policy to the IT Officer. Failure to do so constitutes a violation of this policy. 6.4. THE MUNICIPALITY 6.4.1. Reserves the right to monitor for violations of this policy. 6.5. MONITORING 6.5.1. The IT Officer and relevant service provider will monitor and/or subscribe to security mailing lists, review vendor notifications and web sites and research specific public web sites for the release of new patches. 6.5.2. Monitoring will include, but not be limited to, the following: 6.5.2.1. Scanning the Umhlabuyalingana Municipality s network to identify known vulnerabilities. 6.5.2.2. Monitoring Computer Emergency Readiness Team, CERT, other advisories and websites of all vendors that have hardware or software operating on the municipality s network. 6.5.2.3. Where a vendor has no subscription service available for the notification of patches that are released, the IT Officer and relevant service provider will perform manual monitoring at least monthly. PATCH MANAGEMENT POLICY Page 6 of 12

6.6. ASSESSING AND CLASSIFYING RISK 6.6.1. Once alerted to a new patch, the IT Officer or relevant service provider will download and review the new patch. 6.6.2. The security patch will be assessed for risk and severity and a classification will be assigned. 6.6.3. The patch will be categorised based on the criticality of the patch according to the following: 6.6.3.1. Emergency - an imminent threat to the Umhlabuyalingana Municipality s network. 6.6.3.2. High A vulnerability whose exploitation could allow the propagation of malicious software without user action. A vulnerability whose exploitation could result in compromise of the confidentiality, integrity or availability of user s data or of the integrity or availability of processing resources. 6.6.3.3. Medium - Exploitability is mitigated to a significant degree by factors such as default configuration, auditing or difficulty of exploitation. 6.6.3.4. Low A vulnerability whose exploitation is extremely difficult or whose impact is minimal. 6.7. TESTING 6.7.1. The IT Officer or relevant service provider will assess the effect of a patch to the municipality s infrastructure prior to its deployment. 6.7.2. The IT Officer will assess the affected patch for criticality relevant to each platform (e.g., servers and desktops). 6.7.3. All patches will undergo testing for each affected platform before release for implementation. 6.7.4. If a patch is categorised as an Emergency, it is considered an imminent threat to Umhlabuyalingana Municipality s network. Therefore, the Umhlabuyalingana PATCH MANAGEMENT POLICY Page 7 of 12

Municipality assumes greater risk by not implementing the patch than waiting to test it before implementing. 6.7.5. Once the IT Officer or relevant service provider is satisfied that the implementation of a new patch will not cause any unexpected behaviour, he must agree upon a schedule for implementation. 6.7.6. It is the responsibility of application end users to identify any problem(s) with a patch or patches and to notify the IT Officer of the problem(s) post installation. 6.8. AUTHORISATION AND NOTIFICATION 6.8.1. Regardless of criticality, each patch requires the creation and approval of a request for change prior to implementing the patch. 6.8.2. Patches classified as Emergency will follow the Emergency Change control procedures.. 6.8.3. The IT Officer or relevant service provider will implement patches during regularly scheduled maintenance (downtime) periods. 6.8.4. The Executive Director of Corporate Services must approve the patch schedule prior to implementation. 6.8.5. For new network devices and servers, each platform will follow established hardening procedures to ensure the installation of the most recent patches. 6.8.6. Since a security patch may cause a system to malfunction, the IT Officer should proactively announce the implementation of a patch or patches. 6.9. IMPLEMENTATION 6.9.1. The IT Officer or relevant service provider will implement Emergency patches within eight hours of availability. As Emergency patches pose an imminent threat to the network, the implementation may precede testing. 6.9.2. In all instances, the IT Officer or relevant service provider will perform testing preimplementation and document it for auditing and tracking purposes. PATCH MANAGEMENT POLICY Page 8 of 12

6.9.3. The IT Officer will obtain authorisation for implementing Emergency patches via an emergency change (refer to the IT Change Management Procedure). 6.9.4. The IT Officer or relevant service provider will implement High, Medium and Low patches during regularly scheduled maintenance (downtime) windows. Each patch will have an approved change record. 6.9.5. Patches will be implemented on all devices according to the timeframes below: Criticality of Patch Emergency High Medium Low Timeframe to Implement Within 8 hours of availability Within 30 days of availability Within 60 days of availability Within 90 days of availability 6.10. VERIFICATION 6.10.1. Following the implementation of all patches, the IT Officer or relevant service provider will verify the successful installation of the patch to ensure that there have been no adverse effects. PATCH MANAGEMENT POLICY Page 9 of 12

7. HOT FIXES 7.1. Operating system updates, hotfixes and service packs will only be installed under the following conditions: 7.1.1. If a specific issue has been identified that requires the installation of the update, hotfix or service pack. 7.1.2. All relevant documentation for the update, hotfix or service pack has been reviewed to determine any configuration changes and potential problems that may be introduced and to determine whether all requirements for installation are being met. 7.1.3. The update, hotfix or service pack has been installed and tested in a test environment to determine any possible issues that may result in the production environment. 7.1.4. It has been established that there is a greater risk in not applying the update, hotfix or service pack then there is in the risk of applying it. 8. ENFORCEMENT 8.1. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 9. APPENDICES 9.1. Appendix A - Patch Control Form 9.2. Appendix B - Monthly Patch Management Compliance Form PATCH MANAGEMENT POLICY Page 10 of 12

APPENDIX A - PATCH CONTROL FORM PATCH INFORMATION: Patch Source or Vendor Name (if Patch was alerted to municipality by system vendor): Date Requested: Signature: System Affected: DESCRIPTION OF PATCH Email: Contact No.: Office: Patch Request No: Risk Rating: BUSINESS JUSTIFICATION NATURE AND PRIORITY AUTHORISATION AND APPROVAL Name Title Date Signature Approved by: Authorised by: TESTING OF CHANGES Testing Required : YES / NO If NO, provide reason for not testing: Testing Documentation/Screen Prints Attached to Change Request: YES / NO SIGN-OFF COMPLETION OF CHANGE Name Title Date Signature Tested by (where applicable): Patch Implemented by: PATCH MANAGEMENT POLICY Page 11 of 12

APPENDIX B - PATCH MANAGEMENT COMPLIANCE FORM Patch Request Number: Details of Change: Change Documentation Attached: Change Management Process Followed: (Yes/No) Details of Exceptions Noted: Checked by: Designation: Sign: Date: PATCH MANAGEMENT POLICY Page 12 of 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information