Logo Information Technology

Department
Policy Document

Patch Management Policy

Version 3.0
< Date>

History Log
Version
Date Date Author
Draft Version 3.0 Aug 2014 ControlCase
Author

Patch Management Policy Page 1

 Logo Information Technology
Department
Policy Document

Contents
1. Purpose.................................................................................................................................................... 3
2. Scope ....................................................................................................................................................... 3
3. Policy ....................................................................................................................................................... 3

Patch Management Policy Page 2

 Logo Information Technology
Department
Policy Document

1. Purpose

The purpose of this policy to ensure timely remediation of vulnerabilities related to the IT
systems by patching and preventing them from getting exploited by internal/external threats.

2. Scope

This policy will apply to all computing devices connected to the <Name of the Organization>
network (including but not limited to Personal Computers, Servers, Main Frames, Software,
Databases, PDAs, and Notebooks etc)

3. Policy

Patch Management is to Protect <Name of the Organization> Systems from vulnerabilities in a timely
manner to maintain systems stability and enhance systems functionalities to optimum performance at all
times.
3.1 IT Operations team shall be responsible for patch management.
3.2 All information related to patches shall be downloaded from authorized/ trusted sources.
3.3 Information Security team shall subscribe to mailing list of Vendor or reputable outside security
agencies e.g. OWASP, NIST, CIS, CERT etc to receive the security vulnerabilities / zero-day
vulnerabilities and new patch release notifications related to all system platforms and software
used in organizational environment (PCI DSS 3.0 Reference – Requirement 6.1.a)
3.4 Information Security team shall perform the security impact review for each of the new security
vulnerability discovered and assign the risk ranking (for example ‘High’, ‘Medium’ & ‘Low’).
Information Security team can follow any of the below approach to determine the vulnerability
risk ranking:
- CVSS base scores of vulnerability
Patch Management Policy Page 3
 Logo Information Technology
Department
Policy Document

- Vendor / OEM defined risk ranking for vulnerability

- Vulnerability scanning tool, defined risk ranking for vulnerability

Information Security team must consider likelihood and exploitation factor for the vulnerabilities
to decide the risk and risk ranking (PCI DSS 3.0 Reference – Requirement 6.1.a).

3.5 Change management procedures shall be followed for patch deployment. Patches shall be
tested in test environment before actual implementation in the production environment.
Exceptions to this requirement shall be recorded in case, testing is not feasible.
3.6 Applicable Critical vendor supplied security patches shall be installed within one month from
release to all the systems in <Name of the Organization> IT environment and prioritized based
on the severity and impact of vulnerabilities (PCI DSS 3.0 Reference – Requirement 6.2.a).
3.7 IT operations shall maintain a published schedule for deploying patches
3.8 IT operations shall communicate the patch implementation information to the intended
audience before the implementation in the production environment.
3.9 Patch completion records shall be archived for future reference with relevant details.
3.10 Ensure that all system components and software have the latest vendor-supplied patches
installed. Only relevant patches must be installed as per the schedule defined below (exception:
virus outbreak and similar situations) (PCI DSS 3.0 Reference – Requirement 6.2.a).
Patch Category Patch Deployment Schedule

Within 24 Hours to 1 Month (based on

System Critical Patches (Higher Risk)
severity)

1 Month to 2months
System Non-Critical Patches (Lower Risk)

3.11 Administrative access to Patch Management servers must be provided to personnel only after
proper authorization.
3.12 Technical vulnerabilities as reported by vendors and security advisory services must be dealt with
in a timely manner.

Patch Management Policy Page 4

 Logo Information Technology
Department
Policy Document

3.13 There must be a vulnerability assessment process that evaluates the operational risk associated
with reported vulnerabilities, and prioritizes actions to be taken within specified times to manage
the risk.
3.14 Roles and responsibilities must be established and associated with technical patch / vulnerability
management. These roles must specify who is responsible for:
 Vulnerability Monitoring: those receiving the notification alerts from different trusted
sources.
 Vulnerability Risk Assessment: those assessing the impact on the environment and
setting the priority.
 Patch Verification: those deciding the applicability and testing the patches.
 Patch Management: those applying and tracking the distribution of patches across all
production systems.
 Coordination responsibilities: how the vulnerability notification and patch application is
communicated across various groups that are responsible for patch deployment. They are
also responsible for end user communication for threat containment
3.15 Patch implementation steps must be monitored on a periodic basis and patch completion
records must be archived for future reference with relevant details.
3.16 All computers connecting to <Name of the Organization> network must have automated
procedures for maintaining the operating system at latest and stable patch levels.
3.17 All systems (except in-house developed applications) must be configured to download relevant
patches automatically from designated Patch Management Server(s).
3.18 When patches are not readily available, or their deployment has unacceptable adverse impacts
on business, operations teams must consider the following mitigating controls for risk
management:
 Network filtering.
 Increased monitoring.
 Awareness training / communications.
 Temporarily disabling impacted services / features.

Patch Management Policy Page 5

 Logo Information Technology
Department
Policy Document

The <Name of the Responsible area> is the owner of this document and is responsible for
ensuring that this policy document is reviewed in line with the review requirements stated
above.

A current version of this document is available to all members of staff.

This policy was approved by TITLE and is issued on a version controlled basis under his/her
signature

Signature: Date:

Patch Management Policy Page 6