Information Technology Department
Procedure Document
Patch Management Procedure Internal Page 1
Patch Management Procedure
HistoryLog
Version
Date
Author
1.0
1
st
November 2017
Information Dynamics
1.1
26
th
January 2019
Information Dynamics
1.2
10
th
Dec 2019
Information Dynamics, Added
KPI
1.3
08
th
Dec 2020
Shaik & Mani
1.4
08
th
Dec 2021
Shaik & Soundar
Information Technology Department
Procedure Document
Patch Management Procedure Internal Page 2
1. Introduction
The purpose of this procedure is to ensure that software & computer systems attached to
Information Dynamics network are updated accurately and timely with security
protection mechanisms (patches) for known vulnerabilities and exploits. These
mechanisms are intended to reduce or eliminate the vulnerabilities and exploits with
limited impact to the business.
2.Scope
This procedure applies to all Software, Servers OS, Desktops OS, Laptops OS, Printers
firmware & Network elements firmware of Information Dynamics.
The scope will be applicable to all activities under the scope statement of Information
Dynamics.
ISO 27001:2013 Domain Reference: A.12.6.1 Technical Vulnerability Management
3. Roles and Responsibilities
Responsibilities required for fulfilling the utilization, support and administration roles for
the patch management procedure are identified and documented within a standardized
framework.
Responsibility
Monitoring
Daily, Weekly and Monthly Review of current patch versions.
Receipt of escalated events
Tracking of vulnerabilities & new fixes
Reporting Medium/High Risk vulnerabilities to the Incident
Response Team.
Information Technology Department
Procedure Document
Patch Management Procedure Internal Page 3
Responsibility
Patching and updating Network Elements(F/W, Routers,
Switches, IPS/IDS etc) with the latest patches.
Communicate patches &updates to Information Security Team
Notification of any suspect security event (OS level) to the
Information Security Team
Organise System backup before patching
Conduct periodic review of security events with the Information
Security Team
Inform and review high risk vulnerabilities and alerts with
Information Security Team.
Patching and updating Applications with the latest patches.
Communicate patches & updates to Information Security Team.
Conduct periodic review of security events with the Information
Security Team& with the vendor.
Inform and review high risk vulnerabilities and alerts with
Information Security Team.
Patching and updating OS (Sun, Windows etc)with the latest
patches.
Communicate patches & updates to Information Security Team
Notification of any suspect security event (OS level) to the
Information Security Team
Organise System backup before patching
Conduct periodic review of security events with the Information
Security Team
Inform and review high risk vulnerabilities and alerts with
Information Security Team..
Notify Information Security Team about malicious/ suspicious
activity/complaints on the network
Information Technology Department
Procedure Document
Patch Management Procedure Internal Page 4
4. Patch Management flow-chart
Inventory of all
systems &
applications
Roll-Back
Succeeded
Running a
Vulnerability analysis
Analysing severity of
the vulnerabilities
Obtaining the correct
patches
Implementing
patches on a test
environment
Testing Roll-Back
Procedure
Implementing
patches on a live
system
Yes
No
Scanning the
network once again
All Patches
in Place
No
Daily vulnerability
check
Yes
New
Vulnerability
Yes
No
Pre Deployment
End
Pre Deployment
Start
Post Deployment
Start
Information Technology Department
Procedure Document
Patch Management Procedure Internal Page 5
5. Patch Management Procedure
5.1Pre Deployment
5.1.1Inventory of all systems & applications
Assigned Area
Objective
Information security Team &
System Administrators
Getting a complete inventory for all in scope
systems & applications for example; all routers,
their model & their OS or firmware version.
5.1.2Running a Vulnerability analysis
Assigned Area
Objective
Information security Team &
System Administrators
The analysis should verify the current patch status,
possible vulnerabilities, and what steps are needed
for remediation.
5.1.3Analysing severity of the vulnerabilities
Assigned Area
Objective
Information security Team
Determine the severity level based on the scope
and impact of the event.
After analysing the severity should be categorized to 3 categories.
Low
Medium
High
5.1.4 Obtaining the correct patches
Assigned Area
Objective
System Administrators
Preparing for applying patches on all in scope
software & systems.
Information Technology Department
Procedure Document
Patch Management Procedure Internal Page 6
5.2 Deployment
5.2.1 Implementing Patches on a Test environment
Assigned Area
Objective
System Administrators
Assure that patches are stable and have no adverse
effect. Patch must not affect the current
Production environment. Once confirmed, Patches
should be applied to selected users for further
testing.
5.2.2 Implementing patches on a Production (Live) system
Assigned Area
Objective
System Administrators
Make sure Patches are installed properly. To
assure there is a smooth roll-out, there must be a
good plan for roll-back if anything went wrong
Patches must be installed within 30 days of its
release.
5.3 Post Deployment
5.3.1Scanning the Network once again
Assigned Area
Objective
Information security Team
To assure that all machine received the intended
patch and if applicable, determine why the un-
patched systems did not.
5.3.2Update System Configuration Standard
Assigned Area
Objective
Information security Team
System Administrators
Once the patches are successfully implemented,
all System Configuration standard should be
updated to reflect the updates.
5.3.3 Daily Vulnerability Check
Assigned Area
Objective
Information security Team
To maintain all machines & software with the
latest patches
Information Technology Department
Procedure Document
Patch Management Procedure Internal Page 7
Associated Documentation
Vulnerability Assessment reports
Penetration Test Reports
MS Bulletin details
Measurement KPIs
KPI
Frequency
Objective
Data Source
Threshold
Patch
Management
Process
Quarterly
Measure whether
the released
security and critical
MS patches are
being installed in
the environment
VA scan reports,
Missing patch
reports
100% of Servers
need to have
updated security
and Critical
Patches
installed.
Atleast 95% of
the end users
system need to
have updated
security and
Critical Patches
installed.