I nf o r m a ti o n Technology Department
Procedure Document





 Patch Management Procedure Internal Page 1

Patch Management Procedure





H i sto r y Log

Ve rs i on

Da t e

Author
1.0
1 st   2017
Information Dynamics
1.1
26 th  January 2019
Information Dynamics
1.2
10 th  Dec 2019
Information Dynamics, Added  KPI
1.3
08 th  Dec 2020
Shaik & Mani



















I nf o r m a ti o n Technology Department
Procedure Document





 Patch Management Internal Page 2

1. Introduction
The   purpose   of   this   procedure   is   to   ensure   that   software   &   computer   systems   attached   to  Information   Dynamics   network   are   updated   accurately   and   timely   with   security  protection   mechanisms   (patches)   for   known   vulnerabilities   and   exploits.    These  mechanisms   are   intended   to   reduce   or   eliminate   the   vulnerabilities   and   exploits   with  impact to the business.
2.Scope
  This   procedure   applies   to   all   Software,   Servers   OS,   Desktops   OS,   Laptops   OS,   Printers  firmware & Network elements firmware of Information Dynamics.
The   scope   will   be   applicable   to   all   activities   under   the   scope   statement   of   Information  Dynamics.
27001:2013 Domain Reference: A.12.6.1 – Technical Vulnerability Management
    3. and Responsibilities
Responsibilities   required   for   fulfilling   the   utilization,   support   and   administration   roles   for  the   patch   management   procedure   are   identified   and   documented   within   a   standardized  framework. 

Support Role

Responsibility
Corporate Security  Department - 
Information Security Team
Monitoring
Daily, Weekly and Monthly Review of current patch versions.
Receipt of events
Tracking of vulnerabilities & new fixes
Reporting Medium/High Risk vulnerabilities the Incident  Response Team.









I nf o r m a ti o n Technology Department
Procedure Document





 Patch Procedure Internal Page 3


Support Role

Responsibility
IT Infrastructure Department
IT Network
Patching and updating  Network Elements (F/W, Routers,  Switches, IPS/ etc) with the patches.
Communicate patches &updates Information Security Team
Notification any suspect event (OS level) to the  Information Security Team
Organise System backup before patching
Conduct periodic review of security with the Information  Team
Inform and review high risk vulnerabilities and alerts with  Information Security Team.
Administrators
Patching and updating  Applications  with the patches.
Communicate patches & updates Security Team.
Conduct review of security events with the Information  Security Team& with the vendor.
Inform and review high vulnerabilities and alerts with  Information Security Team.
System Administrators
Patching and updating  OS  (Sun, Windows etc)with the latest  patches.
Communicate patches & updates to Information Team
Notification of any suspect security event ( level) to the  Information Security Team
Organise System backup before patching
Conduct review of security events with the Information  Security Team
Inform and review high risk vulnerabilities and alerts with  Information Security Team..
Help Desk
Notify Information Security Team about malicious/ suspicious  activity/complaints on the network















I nf o r m a ti o n Technology Department
Procedure Document





 Patch Management Procedure Internal Page 4

  4. Patch Management          flow-chart
I nf o r m a ti o n Technology Department
Procedure Document





 Patch Management Internal Page 5

 
  5. Patch Management Procedure
    5.1Pre Deployment
  5.1.1Inventory of all systems & applications

Area

Objective
Information security Team &  System Administrators
Getting   a   complete   inventory   for   all   in   scope  systems   &   applications   for   example;   all   routers,  their model & their OS or version.







  5.1.2Running a Vulnerability analysis

Assigned Area

Objective
Information security Team &  System Administrators
The   analysis   should   verify   the   current   patch   status,  possible   vulnerabilities,   and   what   steps   are   needed  for remediation.







  5.1.3Analysing severity of the vulnerabilities

Assigned Area

Objective
Information security Team
Determine   the   severity   level   based   on   the   scope  and of the event.







analysing the severity should be categorized to 3 categories.
Low
Medium
High
5.1.4 Obtaining the correct patches

Assigned Area

Objective
System Administrators
Preparing   for   applying   patches   on   all   in   scope  software & systems.







I nf o r m a ti o n Technology Department
Procedure Document





 Patch Management Procedure Internal Page 6

  5.2 Deployment
5.2.1 Implementing Patches on a Test environment

Assigned Area

Objective
Administrators
Assure   that   patches   are   stable   and   have   no   adverse  effect.   Patch   must   not   affect   the   current  Production   environment.   Once   confirmed,   Patches  should   be   applied   to   selected   users   for   further  testing.







5.2.2 Implementing patches a Production (Live) system

Assigned Area

Objective
Administrators
Make   sure   Patches   are   installed   properly.   To  assure   there   is   a   smooth   roll-out,   there   must   be   good   plan   for   roll-back   if   anything   went   wrong   Patches   must   be   installed   within   30   days   of   its  release.







  5.3 Post Deployment
5.3. the Network once again

Assigned Area

Objective
Information security Team
To   assure   that   all   machine   received   the   intended  patch   and   if   applicable,   determine   why   the   un- patched systems did not.







5.3.2Update System Configuration Standard

Assigned Area

Objective
Information security Team
System Administrators
Once   the   patches   are   successfully   implemented,  all   System   Configuration   standard   should   be  updated to reflect the updates.







5.3.3 Daily Vulnerability Check

  Assigned Area

Objective
Information security Team
To   maintain   all   machines   &   software   with   the  latest patches







I nf o r m a ti o n Technology Department
Procedure Document





 Patch Management Procedure Internal Page 7

Associated Documentation
Vulnerability Assessment reports
Penetration Test Reports
Bulletin details
Measurement KPIs

KPI

Frequency

Objective

Data Source

Threshold
Patch  Management  Process
Quarterly
Measure whether  the released  security and critical  MS patches are  being installed in  environment
scan reports,  Missing patch  reports
100% of Servers  need to have  security  and Critical  Patches  installed.
Atleast 95% of  the end users  system need to  have updated  and  Critical Patches  installed.