Title: Security Patch Management

Similar documents
Patch Management Procedure. Andrew Marriott PATCH MANAGEMENT PROCEDURE.DOCX Version: 1.1

Information and Communication Technology. Patch Management Policy

Patch Management Policy

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

TECHNICAL VULNERABILITY & PATCH MANAGEMENT

Data Management Policies. Sage ERP Online

PATCH MANAGEMENT POLICY PATCH MANAGEMENT POLICY. Page 1 of 5

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

PATCH MANAGEMENT POLICY IT-P-016

ITP01 - Patch Management Policy

Northwestern University Dell Kace Patch Management

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

DUUS Information Technology (IT) Acceptable Use Policy

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

Internal Controls And Good Utility Practices. Ruchi Ankleshwaria Manager, Compliance Risk Analysis

GFI White Paper PCI-DSS compliance and GFI Software products

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

PCI DSS Reporting WHITEPAPER

Patch management and security. updates SIMATIC. Process Control System PCS 7 Patch management and security updates. Preface 1

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Patch and Vulnerability Management Program

Virtual Private Networks (VPN) Connectivity and Management Policy

Standard CIP Cyber Security Systems Security Management

AHS Vulnerability Scanning Standard

NIST National Institute of Standards and Technology

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Office of Inspector General

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Standard CIP 007 3a Cyber Security Systems Security Management

Windows Operating Systems. Basic Security

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

IT Risk Management: Guide to Software Risk Assessments and Audits

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Patch Management. A newsletter for IT Professionals. Issue 6. I. Background of Patch Management. Education Sector Updates

ManageEngine Desktop Central Training

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

LANDESK SOLUTION BRIEF. Patch Management

Service Level Agreement

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

How To Perform An External Security Vulnerability Assessment Of An External Computer System

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Better secure IT equipment and systems

HIPAA Security COMPLIANCE Checklist For Employers

Minimum Requirements for Cencon 4 with Microsoft R SQL 2008 R2 Express

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

ABB s approach concerning IS Security for Automation Systems

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Network Security Policy

Focus on Security Xerox and the P2600 Hardcopy Device and System Security Working Group

UF IT Risk Assessment Standard

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Payment Card Industry Data Security Standard

AHS Flaw Remediation Standard

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

IT Security Procedure

Summary of CIP Version 5 Standards

Payment Card Industry (PCI) Data Security Standard

Patch Management. FITS OM Directory Services Administration Contents. Key

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Verve Security Center

Managing internet security

HP Application Security Center

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada

Configuration control ensures that any changes to CIs are authorized and implemented in a controlled manner.

SANS Top 20 Critical Controls for Effective Cyber Defense

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

16) INFORMATION SECURITY INCIDENT MANAGEMENT

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

NERC CIP VERSION 5 COMPLIANCE

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

External Penetration Assessment and Database Access Review

Transcription:

Effective Date: 11/10; Rev.: 07/12 POLICY: Security patching of computer systems attached to the IHS network will follow a defined process that includes, but is not limited to, risk assessment, testing, scheduling, installing, and verifying, regardless of the platform or criticality of the patch. SCOPE: IHS system wide. All IHS and affiliate facilities including, but not limited to, hospitals, ambulatory surgery centers, home care programs, physician practices, all IHS and affiliate departments, and covered group health plans. BACKGROUND: The purpose of this policy is to ensure that IHS computer systems are patched in a way that ensures a consistently configured environment that is secure against known vulnerabilities in operating systems (i.e. Windows), database systems (i.e. SQL), and other systems software (i.e. Internet Information Server). Due to the varying requirements of application security patching, application patching is not included in this policy. Due to the complexity and lowered risk of exposure, security patching of low-level components of computers and servers, (i.e. BIOS and Device Drivers) are not included in this policy. PROCEDURES: 1. Definitions. 1.1 Security Patch Management: Process that involves acquiring, assessing, testing, installing, and verifying Security Patches (or fixes ) for IHS computer systems. 1.2 Vulnerability: A weakness in the operating system or system software that could be exploited for any number of reasons, including, but not limited to, executing malicious code, tampering with data, or hindering network activity. Page 1 of 5 07/12

1.3 Security Patch: A fix to a program that eliminates a Vulnerability that can be exploited by malicious hackers. 1.4 IHS Computer Systems: Mainframes, mini and microcomputers/personal computers (PCs), laptops, servers, networks, routers, bridges, hubs, and various peripheral equipment (e.g. printers and modems) and the software (i.e. operating system) installed on these systems that are owned, leased or maintained by IHS. 1.5 System Administrator: A person who manages and maintains an IHS Computer System. This includes, but is not limited to, server administrators, network administrators, database administrators, and Biomed administrators. 2. Monitoring. 2.1 System Administrators are responsible for monitoring vendor notifications and/or websites, security mailing lists, and other public websites for the availability of new Security Patch releases as they apply to their system. If automated patch management solutions will be used to monitor for patch releases, the solution must be able to provide information regarding available patches, criticality of patches, and systems affected. 3. Review and Evaluation. 3.1 System Administrators are responsible for reviewing each available patch relevant to their system (including reading and understanding applicable release notes), evaluating each patch, and categorizing the criticality of each patch according to the following: 3.1.1 Emergency Targets an imminent threat to IHS systems and/or network. 3.1.2 Critical Targets a known security Vulnerability that affects IHS systems and/or network. 3.1.3 Non-Security A standard patch release update that applies to IHS Computer Systems, but is not intended to fix a security flaw. 3.1.4 Not Applicable No IHS systems affected. 3.2 The criticality of patches, as defined in section 3.1 in this policy, that are applied to the production environment should be documented in the associated Change Control. Page 2 of 5 07/12

3.3 It is the responsibility of the affiliate System Administrator to review patches and their applicability to FDA-regulated devices (i.e. Biomed devices, etc.) and alert the Information Technology Department when it is appropriate to install the patches. 3.4 IHS is dependent on application vendors to ensure their products are compatible with the new Security Patches being released. In the event that a patch fails testing or is not acceptable by an application vendor, System Administrators must implement mitigating controls to reduce the risk of the patch not being applied to the IHS environment. The System Administrator is also responsible for documenting the patch exception on the Patch Exception Form located on the Intranet in accordance with 4.4.2 of this policy. 3.4.1 It is the responsibility of the analyst(s) who supports an application to alert the server administrator(s) if a patch cannot be applied to the servers/workstations on which their supported application resides. 4. Testing and Installation. 4.1 If the System Administrator and/or Information Protection categorizes a patch as an Emergency that will fix an imminent threat to IHS systems, then the testing/install schedule for the specific patch may be expedited. The Manager of Information Protection and the manager of the affected IHS system will determine/approve the expedited testing and install schedule. 4.2 All Emergency and Critical Security Patches must be acquired for testing on IHS Computer Systems within 10 business days of the patch release date. 4.3 It is recommended, but not required by this policy, that non-security Patches be acquired for testing at least quarterly and a determination made as to whether or not the patch will be installed in the production environment. 4.4 All Security Patches will be tested for 2 weeks before being installed in the production environment, excepting Emergency patches if an expedited testing schedule is approved per paragraph 4.1 of this policy. Testing must include validation that the patch was successfully applied and did not cause adverse effects. 4.4.1 If during testing, it is determined that a Security Patch will adversely impact the production environment, the patch will not be pushed to production and other steps to mitigate the Vulnerability must be investigated. Page 3 of 5 07/12

4.4.2 If a Security Patch is not applied to the production environment, the exception must be documented with the following information and submitted to Information Protection for approval via the Patch Exception Form found on the Intranet: System(s) Affected Name and/or Number of Patch Criticality of Patch Release date of Patch Patch testing date(s) Reason Patch was not applied to production Mitigating controls applied in place of patch IT Manager who approved Patch Exception Information Protection will store the patch exceptions in the Exceptions Database located in the Audit & Compliance shared directory. 4.5 All Security Patch installations in the production environment must follow the change control process. 4.6 Non-Security Patches should be installed during regularly scheduled system maintenance to reduce impact to end users. Emergency and Critical Security Patches may be installed outside of regularly scheduled system maintenance only if it is deemed necessary by the Manager of Information Protection and the manager of the affected IHS system. 4.8 Newly installed devices must be patched to the latest patch level according to the specific documented patch management procedures as defined by the System Administrator(s). 5. Verification and Auditing. 5.1 Following the release of all Security Patches to the production environment, the System Administrator(s) is responsible for verifying the patch was installed on all affected systems, and that there are no adverse effects to production systems. System Administrator(s) are responsible for ensuring that patches are installed by manual methods if automated pushes fail on their respective computer systems. 5.2 If adverse effects exist after Security Patch installation, it is the responsibility of the System Administrator to document and implement the roll-back process as defined in the Change Control documentation for the patch. Documentation of the patch roll-back process and the affected system must Page 4 of 5 07/12

also be provided to Information Protection for audit purposes via the Patch Exception Form found on the Intranet. 5.3 Information Protection will conduct quarterly audits on random samplings of IHS computers to ensure Security Patch levels and documentation of patch exceptions are in compliance with this policy. 6. User Responsibility. 6.1 At the close of business each day, users should close all applications and logoff of Windows, leaving the PC powered on to receive security and/or software updates overnight. If PCs are taken off the network or shut down overnight, the updates will be installed on the PC the next time the device is attached to the network and powered on. 6.2 Users must not interfere or disrupt the Security Patch installation process on their computers. 7. Violations. 7.1 Violations of this policy may result in disciplinary actions at the department level, immediate revocation of system access, and/or termination of employment or business contract. /s/ William B. Leaver William B. Leaver IHS President Page 5 of 5 07/12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information