PATCH MANAGEMENT POLICY IT-P-016



Similar documents
PATCH MANAGEMENT POLICY PATCH MANAGEMENT POLICY. Page 1 of 5

Patch Management Policy

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Introduction. PCI DSS Overview

Data Management Policies. Sage ERP Online

Patch Management Procedure. Andrew Marriott PATCH MANAGEMENT PROCEDURE.DOCX Version: 1.1

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Nessus Agents. October 2015

Reducing the cost and complexity of endpoint management

September 2005 Report No FDIC s Information Technology Configuration Management Controls Over Operating System Software

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Policy Title: HIPAA Security Awareness and Training

The Protection Mission a constant endeavor

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

IBM Tivoli Endpoint Manager for Lifecycle Management

IBM Tivoli Endpoint Manager for Security and Compliance

IBM Tivoli Endpoint Manager for Security and Compliance

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Information Technology Policy

Computer and Network Security Policy

TECHNICAL VULNERABILITY & PATCH MANAGEMENT

Information and Communication Technology. Patch Management Policy

Get what s right for your business. Technologies.

Leveraging a Maturity Model to Achieve Proactive Compliance

eeye Digital Security Product Training

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

The ROI of Automated Agentless Endpoint Management

Why you need an Automated Asset Management Solution

How To Improve Nasa'S Security

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

Device Lifecycle Management

Complete Patch Management

Title: Security Patch Management

LESSON Windows Server Administration Fundamentals. Understand Updates

Complete Patch Management

Connecticut Justice Information System Security Compliance Assessment Form

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

Did you know your security solution can help with PCI compliance too?

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

IBM Tivoli Endpoint Manager for Lifecycle Management

How To Monitor Your Entire It Environment

Best Practices for DanPac Express Cyber Security

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

Network Access Protection (NAP)

Sygate Secure Enterprise and Alcatel

IT INFRASTRUCTURE MANAGEMENT SERVICE ADDING POWER TO YOUR NETWORKS

GFI White Paper PCI-DSS compliance and GFI Software products

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Standard CIP Cyber Security Systems Security Management

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

Office of Inspector General

How To Deploy Software Updates Using SCCM 2012 R2

PROTECTION SERVICE FOR BUSINESS WELCOME TO THE BUSINESS OF FREEDOM

Standard CIP 007 3a Cyber Security Systems Security Management

Global Partner Management Notice

The Value of Vulnerability Management*

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

CITY OF BOULDER *** POLICIES AND PROCEDURES

Information Security Policy

Capital District Vulnerability Assessment

Best Practices for PCI DSS V3.0 Network Security Compliance

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

Consensus Policy Resource Community. Lab Security Policy

Better secure IT equipment and systems

Unicenter Asset Intelligence r11

SECURITY ORGANISATION Security Awareness and the Five Aspects of Security

Altiris IT Management Suite 7.1 from Symantec

Security Policy for External Customers

Ctfo MANAGEMENT SECURITY PATCH. Felicia M. Nicastro. Second Edition. CRC Press. VC#*' J Taylor & Francis Group / Boca Raton London New York

Vulnerability Management ROI Calculator User Guide. v2.0 Monday, September 29, Copyright 2008, Lumension Security

IBM Endpoint Manager for Lifecycle Management

Sophos Endpoint Security and Control on-premise installation best practice guide. Endpoint Security and Control 10 Enterprise Console 5

Secondary DMZ: DMZ (2)

HIPAA Risk Analysis By: Matthew R. Johnson GIAC HIPAA Security Certificate (GHSC) Practical Assignment Version 1.0 Date: April 12, 2004

Critical Controls for Cyber Security.

Using WMI Scripts with BitDefender Client Security

Complete Patch Management

How To Manage A System Vulnerability Management Program

Transcription:

IT-P-016 Date: 28 th March, 2016

Stamford International University ( STIU ) Patch Management Policy Rationale Stamford International University ( STIU ) is responsible for ensuring the confidentiality, integrity, and availability its data and that of customer data stored on its systems. STIU has an obligation to provide appropriate protection against malware threats, such as viruses, Trojans, and worms which could adversely affect the security of the system or its data entrusted on the system. Effective implementation of this policy will limit the exposure and effect of common malware threats to the systems within this scope. 2

Purpose This document describes the requirements for maintaining up-to-date operating system security patches on all STIU owned and managed workstations and servers. Scope This policy applies to workstations or servers owned or managed by STIU. This includes systems that organizational data owned or managed by STIU regardless of location. The following systems have been categorized according to management: Linux servers managed by Infrastructure Maintenance & Engineering Team Microsoft Windows servers managed by Infrastructure Maintenance & Engineering Team Workstations (desktops and laptops) managed by Site Support Engineering Team Policy Information Responsible Office: Department of Information Technology, Stamford International University Issued On: 28 th March, 2016 3

Revision History Revision Number Document Number Description Effective Date 00 IT-P-016 New Release 3 rd September, 2015 01 IT-P-016 Revision 1 28 th Mach, 2016 Revision: The University reserves the right to change this policy from time to time. Proposed changes will normally be developed by the policy managers with appropriate stakeholders. The review entities have sole authority to approve changes to this policy. 4

Contents Stamford International University ( STIU ) Patch Management Policy... 2 Rationale... 2 Purpose... 3 Scope... 3 Policy Information... 3 Revision History... 4 Recommendations and Approvals... 6 Policy... 7 Workstations... 7 Servers... 7 Roles and Responsibilities... 7 Patch Management Methodology... 8 Auditing and Monitoring... 8 Enforcement... 9 Exceptions... 9 Policy Review... 9 APPENDIX A: Topology of Patch Management Infrastructure... 10 5

Policy Workstations and servers owned by STIU must have up-to-date operating system security patches installed to protect the asset from known vulnerabilities. This includes all laptops, desktops, and servers owned and managed by STIU. Workstations Desktops and laptops must have automatic updates enabled for operating system patches. This is the default configuration for all workstations built by STIU. Any exception to the policy must be documented and forwarded to the Office of the CISO for review. See Section on Exceptions. Servers Servers must be regularly updates with latest service packs, hotfixes, and patches required to ensure the security of the STIU asset and the data that resides on the system, except for cases where deployment of such patches will obstruct normal operation of Applications hosted on the server. Any exception to the policy must be documented and forwarded to the Office of the CISO for review. See Section on Exceptions. Roles and Responsibilities Infrastructure Maintenance & Engineering Team will manage the patching needs for the Linux, Unix, and Solaris servers on the network. Infrastructure Maintenance & Engineering Team will manage the patching needs for the Microsoft Windows servers on the network. Site Support Engineering Team will manage the patching needs of all workstations on the network and ensure all system images maintained are up to date with the latest patches. Information Security is responsible for routinely assessing compliance with the patching policy and will provide guidance to all groups in issues of security and patch management. The Change Management Board is responsible for approving the monthly and emergency patch management deployment requests. 7

Patch Management Methodology Microsoft s System Center Configuration Manager (SCCM) is utilized to deploy patches. The entire patch management infrastructure is managed, updates can be controlled, reports can be run and vulnerability information can be displayed through SCCM. Patch approval will take place at the primary SCCM server (upstream), while the actual deployment will take place through secondary update servers (downstream) at individual sites. Patches will be deployed on Wednesday of every week. Missed schedules will be run on the next business day. Appendix A outlines the topology of STIU s Patch Management Infrastructure. Auditing and Monitoring Active patching teams noted in the Roles and Responsibility section are required to compile and maintain reporting metrics that summarize the outcome of each patching cycle. These reports shall be used to evaluate the current patching levels of all systems and to assess the current level of risk. These reports shall be made available to Information Security and Internal Audit upon request. 8

Enforcement Implementation and enforcement of this policy is ultimately the responsibility of all employees at STIU. Any system found in violation of this policy shall require immediate corrective action. Violations shall be noted in the STIU s helpdesk system and support teams shall be dispatched to remediate the issue. Repeated failures to follow policy may lead to disciplinary action. Exceptions Exceptions to the patch management policy require formal documented approval from the Office of the CISO. Any servers or workstations that do not comply with policy must have an approved exception on file with the CISO. Policy Review The policy shall be reviewed after every year or as and when the need arises. 9

APPENDIX A: Topology of Patch Management Infrastructure 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information