Information and Communication Technology. Patch Management Policy



Similar documents
Information and Communication Technology. Firewall Policy

How To Recover From A Disaster

Patch Management Procedure. Andrew Marriott PATCH MANAGEMENT PROCEDURE.DOCX Version: 1.1

Information and Communication Technology. Helpdesk Support Procedure

Title: Security Patch Management

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Patch and Vulnerability Management Program

THE TOP 4 CONTROLS.

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Patch Management Policy

Business Continuity Management - A Guide to the Italian Premier Control System

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

ITP01 - Patch Management Policy

2 Copyright 2015 M. E. Kabay. All rights reserved. 4 Copyright 2015 M. E. Kabay. All rights reserved.

Service Catalog. it s Managed Plan Service Catalog

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

TECHNICAL VULNERABILITY & PATCH MANAGEMENT

SUMMIT ASSET MANAGEMENT DATASHEET

Complete Patch Management

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Information Technology Services

AHS Flaw Remediation Standard

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

MSP Service Matrix. Servers

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

The Protection Mission a constant endeavor


Data Management Policies. Sage ERP Online

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Computer System Security Updates

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Ovation Security Center Data Sheet

UP L04 Introduction to 3 rd Party Patching Using the 4A Model Hands-On Lab

ManageEngine Desktop Central Training

School of Computer Science and Engineering policy with regard to self-administered computers

UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY

Streamlining Patch Testing and Deployment

Sample Vulnerability Management Policy

External Penetration Assessment and Database Access Review

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Managed Service Plans

Introduction. Special thanks to the following individuals who were instrumental in the development of the toolkits:

Information Technology Solutions

Standard Information Communications Technology. Multifunction Device. January 2013 Version 2.2. Department of Corporate and Information Services

Ovation Security Center Data Sheet

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

PCI DSS Reporting WHITEPAPER

Monthly Fee Per Server 75/month 295/month 395/month Monthly Fee Per Desktop/Notebook/ 15/month 45/month 55/month

Fully Managed IT Support. Proactive Maintenance. Disaster Recovery. Remote Support. Service Desk. Call Centre. Fully Managed Services Guide July 2007

Antelope Enterprise. Electronic Documents Management System and Workflow Engine

INCIDENT RESPONSE CHECKLIST

Complete Patch Management

MANAGED SERVICES ON DEMAND SERVICES BACKUP AND DISASTER RECOVERY CLOUD SERVICES HARDWARE AS A SERVICE. Exceed Best

PATCH MANAGEMENT POLICY IT-P-016

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Dynamic Service Desk. Unified IT Management. Solution Overview

IBM Tivoli Endpoint Manager for Security and Compliance

DOBUS And SBL Cloud Services Brochure

Patch Management Reference

Better secure IT equipment and systems

OFFICE OF CORPORATE CREDIT UNIONS Risk Reporting for Corporate IT Networks.. Risk Assessment Reporting in Corporate Credit Unions

DOT.Comm Oversight Committee Policy

Electoral Commission. Auction # Patch Management Solution

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

1. Provide hardware/software installation, updates, configuration, troubleshooting and resolution.

Product comparison. GFI LanGuard 2014 vs. Microsoft Windows InTune (October 2013 Release)

ICT Category Sub Category Description Architecture and Design

APS Windows Servers Argonne National Laboratory is managed by The University of Chicago for the U.S. Department of Energy

Novell ZENworks Asset Management

Symphony Plus Cyber security for the power and water industries

Tier3 Remote Monitoring System. Peace of Mind for Less Than a Cup of Coffee a Day

Cyber Essentials Scheme

Complete Patch Management

University of Kent Information Services Information Technology Security Policy

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY

05.0 Application Development

Reducing the cost and complexity of endpoint management

Cloud Services Catalog with Epsilon

AHS Vulnerability Scanning Standard

Introduction. Manageability. What is needed?

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Hardware and Asset Management Program

Critical Controls for Cyber Security.

Efficient and easy-to-use network access control and dynamic vlan management. Date: F r e e N A C. n e t Swisscom

Cautela Labs Cloud Agile. Secured.

Device Lifecycle Management

Patch Management. A newsletter for IT Professionals. Issue 6. I. Background of Patch Management. Education Sector Updates

Guide to Vulnerability Management for Small Companies

OCCS Procedure. Vulnerability Scanning and Management Procedure Reference Number: Last updated: September 6, 2011

How To Improve Nasa'S Security

Product comparison. GFI LanGuard 2014 vs. Microsoft Windows Server Update Services 3.0 SP2

Server Management-Scans & Patches

Transcription:

BELA-BELA LOCAL MUNICIPALITY - - Chris Hani Drive, Bela- Bela, Limpopo. Private Bag x 1609 - BELA-BELA 0480 - Tel: 014 736 8000 Fax: 014 736 3288 - Website: www.belabela.gov.za - - OFFICE OF THE MUNICIPAL MANAGER Information and Communication Technology Patch Management Policy

TABLE OF CONTENTS 1. MANDATE OF THE ICT DIVISION 2. OBJECTIVE OF THE POLICY 3. APPLICABILITY OF THE POLICY 4. TERMS AND DEFINITIONS 5. ACRONYMS 6. REFERENCES 7. POLICY STATEMENT 8. PROCEDURE 9. COMPLIANCE LEVELS 10. ROLES AND RESPONSIBILITIES 11. MONITORING 12. REVIEW AND EVALUATION 13. RISK ASSESSMENT AND TESTING 14. POLICY REVIEW

POLICY AUTHORITIES Compiled by Designation D Nkuna Divisional Manager IT Signature Date Supported/Not Supported Designation ML Mashishi Acting Corporate Services Manager Signature Date Approved/Not Approved Designation MM Maluleka Municipal Manager Signature Date Effective Date POLICY CHANGE RECORD The following changes have been made to this policy: Version Description of Change Date Approved 001 of 2015 Initial version

1. MANDATE OF THE ICT DIRECTORATE 1.1 The Information and Communications Technology (ICT) Division has the mandate to deliver services, support and maintain ICT infrastructure, for the Municipality to realise its mandate. 2. OBJECTIVE OF THE POLICY 2.1 The objective of this policy is to proactively prevent the exploitation of vulnerabilities on computing and related devices. 2.2 All computers and network devices must be maintained at service provider supported levels and critical security patches must be applied in a timely manner consistent with an assessment of risk. 3. APPLICABILITY OF THE POLICY 3.1 This policy applies to employees, Contractors and Consultants assigned to work at the Municipality. 3.2 This policy covers all servers, workstations, network devices, operating systems, applications, and other information assets for which service providers provide system patches or security updates. 4. TERMS AND DEFINITIONS Term Network Devices Definition Any physical component that forms part of the underlying connectivity infrastructure for a network, such as a router, switch, hub, bridge or gateway. Network Infrastructure Includes servers, network devices, and any other back office equipment.

Patch OS A fix to a known problem with an OS or software program. For the purposes of this document, the term patch will include software updates. Operating System such Windows, Mac, Linux. Risk Assessment Update An evaluation of the level of exposure to a vulnerability for which a patch has been issued. A new version of software providing enhanced functionality or bug fixes. 5. ACRONYMS COBIT ICT ICTSC ITIL Control Objectives for Information Technology Information and Communication Technology Information and Communication Technology Steering Committee Information Technology Infrastructure Library 6. REFERENCES 6.1 International Guidelines Control Objectives for Information Technology (COBIT) 6.2 International Standards Information Technology Infrastructure Library (ITIL) ISO/IEC 17799: Edition 1, 2000 Information Technology Code of practice for 6.3 National Policy Information Security Management Constitution of the Republic of South Africa, Act 108 of 1996 The Electronic Communications and Transactions (ECT) Act 25 of 2002 National Strategic Intelligence Act 2 of 2000 applicable for South Africa Regulation of Interception of Communications Act 70 or 2002

State Information Technology Act 88 of 1998 7. POLICY STATEMENT 7.1 Many computer operating systems such as Microsoft Windows include software application programs that may contain security flaws. Occasionally, one of the flaws may permit an attacker to compromise a computer system. 7.2 A compromised computer system threatens the integrity of the network and all computers connected to that system. Almost all operating systems and many software applications have periodic security patches released by the vendor that need to be applied. Patches which are security related or critical in nature should be installed. 7.3 ICT will review, evaluate, and appropriately apply software patches in a timely manner. Should patches not be applied in a timely manner due to hardware or software constraints, mitigating controls will be implemented based upon the results of a risk assessment. 7.4 ICT will use automated tools, where available, to create a detailed list of all currently installed software on workstations, servers and other networked devices. A manual audit will be conducted on any system or device for which an automated tool is not available. 7.5 In the event that a system must be, reloaded, all relevant data on the current OS and patch level will be recorded. The system should be brought back to the patch levels in effect before reloading. 8. PROCEDURE 8.1 Automated tools will scan for available patches and patch levels, which will be reviewed in accordance with Microsoft s severity rating system which provides single rating per vulnerability. 8.2 Manual scans and reviews will be conducted on systems for which automated tools are not available. 8.3 Risk assessment must be performed within 2 business days of the receipt of notification of critical patches or 2 business days following Microsoft Patch release. If a determination regarding the applicability of the patch or mitigating controls cannot be made in that time, a formal risk assessment process must be initiated. 8.4 Service provider supplied patch documentation will be reviewed in order to assure compatibility with all system components prior to being applied.

8.5 Where feasible, patches will be successfully tested on non production systems installed with the majority of critical applications or services prior to being loaded on production systems. 8.6 Successful backups of mission critical systems will be verified prior to installation of patches and a mechanism for reverting to the patch levels in effect prior to patching will be identified. 8.7 Patches will be applied during an authorised maintenance window in cases where the patch application will cause a service interruption for mission critical systems. 8.8 Patches will be prioritised and applied in accordance with Microsoft s severity rating system. 8.9 Reports will be generated for all system categories (servers, secure desktops or switches) indicating which devices have been patched. System reports help record the status of systems and provide continuity among administrators. The reports may be in paper or electronic form. 8.10 Patch Compliance Reports will be presented at ICT Risk meeting. 9. COMPLIANCE LEVELS 9.1 A compliance level refers to the percentage of computer devices that have been successfully patched or otherwise remediated such that they are no longer vulnerable. 9.2 Although a completely patched environment (100%) would be desirable, however, this does not take into account the reality of: 9.2.1 Users that own multiple computing devices (that are not always connected to the network or switched on). 9.2.2 Traveling employees with laptop computers who do not log into the Departmental network every day. 9.2.3 Computers being repaired or replaced by hardware service provider. 9.2.4 computers that may or may not even still exist on the corporate network, yet still show up on recent network inventory reports. 9.2.5 Failed or over saturated Wide Area Network connections. 9.2.6 Computers registered in Active Directory that have been recycled or re-imaged.

9.2.7 Virtual computer sessions that remain powered off for weeks or months at a time. 9.3 In light of the above considerations, ICT will observe compliance levels in the range between 85% and 97%. 10. ROLES AND RESPONSIBILITIES 10.1 The ICT Division shall: 10.1.1 Track newly discovered vulnerabilities and the associated patch compliance, as they apply to the network and computing devices in the Municipality. This role is also responsible for defining and publishing the Patch Management Policy, Disaster Recovery Plan, and target service levels. 10.1.2 Review Patch Compliance Reports and following up with Network Administrators when compliance is outside the established boundaries. 10.2 The ICT Manager shall: 10.2.1 Approve the scheduled rollout of patches, as they pertain to changes made to the production network environment. 10.3 The Network Administrator shall: 10.3.1 Test patches against the most commonly used workstation and server configurations in the environment. 10.3.2 Test patches for compatibility with business critical applications. 10.3.3 Manage, install and restart assigned servers to apply patches. 10.3.4 Review Windows Update Server Update Services (WSUS) health reports, monitoring the health of the Notification Server Infrastructure, ensuring that the patches are properly downloaded and configuration of the WSUS. 11. MONITORING 11.1 Network Administrator shall monitor security mailing lists, review vendor notifications and Web sites, and research specific public Web sites for the release of new patches. Monitoring will include, but not be limited to, the following: Scanning the Municipality s network to identify known vulnerabilities.

Monitoring notifications, and Web sites of all vendors that have hardware or software operating on Municipality s network. 12. REVIEW AND EVALUATION 12.1 Once alerted to a new patch, Network Administrator shall download and review the new patch hours of its release. Network Administrator shall categorize the criticality of the patch according to the following: Emergency an imminent threat to Bela Bela Local Municipality s network Critical targets a security vulnerability Not Critical a standard patch release update not applicable to Bela Bela Municipality s environment Regardless of platform or criticality, all patch releases will follow a defined process for patch deployment that includes assessing the risk, testing, scheduling, installing, and verifying. 13. RISK ASSESSMENT AND TESTING 13.1 Network Administrator shall assess the effect of a patch to the corporate infrastructure prior to its deployment. The ICT division will also assess the affected patch for criticality relevant to each platform (e.g., servers, desktops, printers, etc.). 13.2 If Network Administrator categorizes a patch as an Emergency, the ICT Division considers it an imminent threat to Municipality s network. Therefore, the Municipality assumes greater risk by not implementing the patch than waiting to test it before implementing. 13.3 Patches deemed Critical or Not Critical will undergo testing for each affected platform before release for implementation. Network Administrator will expedite testing for critical patches. 14. POLICY REVIEW 14.1 This policy shall be reviewed on an annual basis by the ICT Division to: 14.1.1 Determine if there have been changes in International, National or Internal references that may impact on this policy. 14.1.2 Determine if there are improvements or changes in the ICT process that should be reflected in this policy.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information