TECHNICAL VULNERABILITY & PATCH MANAGEMENT



Similar documents
Patch Management. FITS OM Directory Services Administration Contents. Key

Patch Management Policy

LESSON Windows Server Administration Fundamentals. Understand Updates

ITP01 - Patch Management Policy

Product comparison. GFI LanGuard 2014 vs. Microsoft Windows InTune (October 2013 Release)

INFORMATION GOVERNANCE POLICY: NETWORK SECURITY

Title: Security Patch Management

I.T. Assurance. Letting you do what you do best... run your business

Managed Services Agreement. Hilliard Office Solutions, Ltd. PO Box Phone: Midland, Texas Fax:

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

Computer Security Maintenance Information and Self-Check Activities

Version: 2.0. Effective From: 28/11/2014

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Policy on Connection to the University Network

Service Level Agreement

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Information and Communication Technology. Patch Management Policy

How to Secure Your Environment

How To Manage A System Vulnerability Management Program

Patch and Vulnerability Management Program

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Network Security & Connection Policy

NETWORK SECURITY GUIDELINES

GETTING STARTED WITH A COMPUTER SYSTEM FACTSHEET

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

STATE OF NEW JERSEY IT CIRCULAR

Preparing Your Personal Computer to Connect to the VPN

Anomaly Detection and Vulnerability Management. Rolf Strehle, ditis Systeme Heidenheim

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Endpoint Security Management

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

Software Asset Management (SWAM) Capability Description

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST

How To Manage Your Information Systems At Aerosoft.Com

Maintaining, Updating, and Protecting Windows 7

Managed Service Plans

S3 Control and System Call Indirection

Student Halls Network. Connection Guide

Reducing the cost and complexity of endpoint management

DOBUS And SBL Cloud Services Brochure

Symantec Endpoint Protection

NETWORK AND INTERNET SECURITY POLICY STATEMENT

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

Windows Operating Systems. Basic Security

ICT Category Sub Category Description Architecture and Design

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

PATCH MANAGEMENT POLICY PATCH MANAGEMENT POLICY. Page 1 of 5

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Introduction. PCI DSS Overview

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Data Management Policies. Sage ERP Online

CuTTIng ComplexITy simplifying security

DeltaV System Software Update Deployment

IMAC/D Service description

PATCH MANAGEMENT POLICY IT-P-016

Managing Security Risks in Modern IT Networks

Implementation and Customer Services ( ICS") Installation Services Standard Terms and Conditions of Supply. (Effective September 2013)

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Cyber Essentials Scheme

Healthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service

Version 5 - July 2015 IT Services Page 2

Ezi Managed Services Pty Ltd Introduction to Our Managed Service Agreement

2012 Endpoint Security Best Practices Survey

Spyware Doctor Enterprise Technical Data Sheet

NCIRC Security Tools NIAPC Submission Summary Microsoft Baseline Security Analyzer (MBSA)

Critical Controls for Cyber Security.

THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005

IT Support & Maintenance Contract

Supporting SUCCESS. premier. computers. Your

Customer Success California Department of Corrections & Rehabilitations (CDCR)

INFORMATION GOVERNANCE POLICY: PROTECTION AGAINST MALICIOUS SOFTWARE

Are You in Control? MaaS360 Control Service. Services > Overview MaaS360 Control Overview

Prepared by: OIC OF SOUTH FLORIDA. May 2013

2 Copyright 2015 M. E. Kabay. All rights reserved. 4 Copyright 2015 M. E. Kabay. All rights reserved.

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

BlackBerry Enterprise Server Express System Requirements

UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

HOSTEDMIDEX.CO.UK. Additional services are also available according to Client specific plan configuration.

Symantec Protection Suite Small Business Edition A simple, effective and affordable solution designed for small businesses

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

DOT.Comm Oversight Committee Policy

How To Manage A Patch Management Process

RL Solutions Hosting Service Level Agreement

Product comparison. GFI LanGuard 2014 vs. Microsoft Windows Server Update Services 3.0 SP2

NOT PROTECTIVELY MARKED. A087 Version 1.0

Taking a Proactive Approach to Patch Management. B e s t P r a c t i c e s G u i d e

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

THE TOP 4 CONTROLS.

Understand Backup and Recovery Methods

Ovation Security Center Data Sheet

Karen Winter Service Manager Schools and Traded Services

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

7 Steps to Safer Computing

IT Onsite Service Contract Proposal. For. <<Customer>> Ltd

3.2 This situation is also experienced by Officers who also need remote access to Council networks.

Technical Writing - A Guide to IT Support Contract

Transcription:

INFORMATION SECURITY POLICY TECHNICAL VULNERABILITY & PATCH MANAGEMENT ISO 27002 12.6.1 Author: Owner: Organisation: Document No: Chris Stone Ruskwig TruePersona Ltd SP-12.6.1 Version No: 1.1 Date: 1 st September 2009 Copyright Ruskwig Ruskwig provides you with the right to copy and amend this document for your own use You may not resell, ask for donations for, or otherwise transfer for value the document.

Document Control Document Storage Document Title Document Location Technical Vulnerability & Patch Management C:\www\Ruskwig\docs\iso-27002\Technical Vulnerability Patch Management - RW.doc Version History Version No Version Date Author 1.1 01/09/2009 Chris Stone First Issue Summary of Changes Approvals Name Title Date of Approval Chris Stone Head of ICT 01/09/2009 1.1 Version No Distribution Name Title Date of Issue Everyone Internet 03/01/2010 1.1 Version No Page 2 of 9

Contents DOCUMENT CONTROL 2 Document Storage 2 Version History 2 Approvals 2 Distribution 2 CONTENTS 3 0. OVERVIEW 4 1. PURPOSE 4 2. SCOPE 4 3. RISKS 4 4. POLICY 5 4.2 Up to date Inventory 5 4.3 Vulnerability Scanning 5 4.4. Identifying Patches to be Applied 5 4.5 Types of Patches 6 4.6 Roles and Responsibilities 6 4.7 Patching Schedule 7 5. ENFORCEMENT 8 6. DEFINITIONS 9 Page 3 of 9

0. Overview 0.1 The goal of vulnerability and patch Management is to keep the components that form part of information technology infrastructure (hardware, software and services) up to date with the latest patches and updates. 0.2 Vulnerability and patch management is an important part of keeping the components of the information technology infrastructure available to the end user. Without regular vulnerability testing and patching, the information technology infrastructure could fall foul of problems which are fixed by regularly updating the software, firmware and drivers. Poor patching can allow viruses and spyware to infect the network and allow security weaknesses to be exploited. 1. Purpose 1.1 This policy defines the procedures to be adopted for technical vulnerability and patch management. 2. Scope 2.1 This policy applies to all components of the information technology infrastructure and includes:- Computers Servers Application Software Peripherals Cabling Routers and switches Databases Storage Telephone Systems 2.2 All staff within the IT Department must understand and use this policy. IT staff are responsible for ensuring that the vulnerabilities within the IT infrastructure are minimised and that the infrastructure is kept patched up to date. 2.3 All users of users have a role to play and a contribution to make by ensuring that they allow patches to be deployed to their equipment. 3. Risks 3.1 Without effective vulnerability and patch management there is the risk of the unavailability of systems. This can be caused by viruses and malware exploiting systems or by out of date software and drivers making systems unstable. Page 4 of 9

4. Policy 4.1 The organisation s IT infrastructure will be patched according to this policy to minimise vulnerabilities. 4.2 Up to date Inventory 4.2.1 The IT Department will maintain an up to date inventory of the components within the organisation s IT infrastructure. 4.2.2 The software and hardware identified will scanned for vulnerabilities and patched according to this policy. 4.3 Vulnerability Scanning 4.3.1 All of the hardware and software on the organisation s network will be scanned using a vulnerability scanner to identify weaknesses in the configuration of systems and to determine if any systems are missing important patches, or software such as anti-virus software. 4.3.2 The organisation s network will be scanned at a minimum on a quarterly basis. 4.3.3 Remediation will be undertaken of any vulnerabilities identified. 4.4. Identifying Patches to be Applied 4.4.1 The organisation s anti-virus server will be configured to automatically down load the latest virus and spyware definitions and push them to the servers, PC s and tablets running on the network. 4.4.2 Windows patch management tools will be utilised to automatically download the latest Microsoft security patches. The patches will be reviewed and applied as appropriate. 4.4.3 Security weaknesses and software update notifications issued by Computer Emergency Response Teams (CERT) will be monitored on a regular basis and any critical issues affecting the organisation s IT infrastructure will be attacked upon immediately. 4.4.4 Notifications of patches from application and database vendors will be reviewed and the patches applied as appropriate. Where notifications are not automatically sent, the suppliers website will be reviewed on a regular basis. 4.4.5 The websites of the suppliers of servers, PC s, tablets, printers, switches, routers and peripherals will be reviewed to determine the availability of firmware patches. 4.4.6 Missing patches identified as a result of vulnerability scanning will be implemented as appropriate. Any weaknesses identified will be rectified. Page 5 of 9

4.5 Types of Patches 4.5.1 The following patches will be implemented on the different information infrastructure types. Type Server / Computer Operating System Application Software Router and Switches Anti Virus / Anti Spyware Printers Scanners Patch BIOS, firmware, drivers Service packs, patches, feature packs Service packs, patches, feature packs Firmware Data file/virus definition update Driver, firmware Driver, firmware 4.6 Roles and Responsibilities 4.6.1 The employees detailed below will be responsible for patch management. Role Responsible Officer Comments Patch identification System Owners and System Administrators Technical Patch Administration Technical Release Administration Application Patch Administration Application Release Administration Vulnerability & Security scanning Technical Team Manager Technical Team Manager System Administrators System Administrators Security Manager Responsible for identifying patches for the application systems which they own or administer. Responsible for patch approval and ownership of all technical updates including:- Operating systems patches for PC s and servers Antivirus and antispyware Firmware Printer drivers. Responsible for the planning, building, testing and deploying new hardware or software. Responsible for patch approval and ownership of all application updates. Responsible for the planning, building, testing and deploying new application software. Responsible for scanning the components on the network for security weaknesses and missing patches. Change Manager Change Approval Board Responsible for the assessment and approval of major ICT infrastructure changes or the introduction of new hardware or software. Page 6 of 9

4.7 Patching Schedule 4.7.1 The organisation s ICT infrastructure will be patched according to this schedule. 4.7.2 PC s & Tablets 4.7.3 PC s and tablets should be patched according to the schedule below. Daily Weekly Monthly Quarterly Six monthly Microsoft critical updates, and security updates configured to be approved for rollout as they are released. Anti-virus and spyware definitions configured to be installed automatically as they are released. New software releases reviewed and approved as required. Check that drivers are up to date. Review vulnerability scans and remediate as required. Check for BIOS updates. 4.7.4 Windows Servers 4.7.5 Servers should be patched according to the schedule below. Daily Weekly Monthly Quarterly Six monthly Anti-virus and spyware definitions will be configured to be installed automatically as they are released. Critical security patches reviewed and approved as required. Public facing servers apply all outstanding patches. Apply all outstanding patches. Check that drivers are up to date. Review vulnerability scans and remediate as required. Check for new printer drivers. Check for BIOS updates. 4.7.6 Sun Servers 4.7.7 Sun servers should be patched according to the schedule below. Weekly Quarterly Critical security patches reviewed and installed as required. Apply latest rollup patch. Review vulnerability scans and remediate as required. Page 7 of 9

4.7.8 Printers, Peripherals, Switches, Routers and Storage 4.7.9 Printers, peripherals, switches and routers and storage should be patched according to the schedule below. Annually Check for new firmware updates. 4.7.10 Telephone System 4.7.11 The telephone system should be patched according to the schedule below. Annually Apply important software updates. 4.7.12 Application software and databases 4.7.13 Application software and databases should be patched according to the schedule below. Monthly Quarterly Critical security patches reviewed and installed as required. Apply latest software patches. 5. Enforcement 5.1 If any member of IT staff is found to have breached this policy, they may be subject to disciplinary action. 5.2 Users who systematically breach this policy by failing to allow the equipment that they use to be updated, may be subject to disciplinary action. Page 8 of 9

6. Definitions 6.1 The following patch management terms are used within this policy. Patch or fix Security Patch Hotfix Driver Service release or service pack Critical Update Update Version or build A release of software that includes bug fixes or performanceenhancing changes. A broadly released fix for a specific product, addressing a security vulnerability. A single package composed of one or more files used to address a problem in a product. Software required by the operating system to make a piece of hardware function. A release of software that bundles together several patches and/or updates to provide a clear benchmark or level of release (e.g. Service Pack 1). A broadly released fix for a specific problem, addressing a critical, non-security related bug. A release of software that adds new functionality to an earlier version. Software that has a numeric or named attribute denoting its maturity or age (e.g Version 5.6.1). Page 9 of 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information