I nf o r m a ti o n Technology Department
Procedure Document
Patch Management Procedure Internal Page 1
Patch Management Procedure
Information Dynamics, Added KPI
I nf o r m a ti o n Technology Department
Procedure Document
Patch Management Internal Page 2
1. Introduction
The purpose of this procedure is to ensure that software & computer systems attached to Information Dynamics network are updated accurately and timely with security protection mechanisms (patches) for known vulnerabilities and exploits. These mechanisms are intended to reduce or eliminate the vulnerabilities and exploits with impact to the business.
2.Scope
This procedure applies to all Software, Servers OS, Desktops OS, Laptops OS, Printers firmware & Network elements firmware of Information Dynamics.
The scope will be applicable to all activities under the scope statement of Information Dynamics.
27001:2013 Domain Reference: A.12.6.1 – Technical Vulnerability Management
Responsibilities required for fulfilling the utilization, support and administration roles for the patch management procedure are identified and documented within a standardized framework.
Corporate Security Department -
Information Security Team
Monitoring
• Daily, Weekly and Monthly Review of current patch versions.
• Receipt of events
• Tracking of vulnerabilities & new fixes
• Reporting Medium/High Risk vulnerabilities the Incident Response Team.
I nf o r m a ti o n Technology Department
Procedure Document
Patch Procedure Internal Page 3
IT Infrastructure Department
IT Network
• Patching and updating Network Elements (F/W, Routers, Switches, IPS/ etc) with the patches.
• Communicate patches &updates Information Security Team
• Notification any suspect event (OS level) to the Information Security Team
• Organise System backup before patching
• Conduct periodic review of security with the Information Team
• Inform and review high risk vulnerabilities and alerts with Information Security Team.
• Patching and updating Applications with the patches.
• Communicate patches & updates Security Team.
• Conduct review of security events with the Information Security Team& with the vendor.
• Inform and review high vulnerabilities and alerts with Information Security Team.
• Patching and updating OS (Sun, Windows etc)with the latest patches.
• Communicate patches & updates to Information Team
• Notification of any suspect security event ( level) to the Information Security Team
• Organise System backup before patching
• Conduct review of security events with the Information Security Team
• Inform and review high risk vulnerabilities and alerts with Information Security Team..
• Notify Information Security Team about malicious/ suspicious activity/complaints on the network
I nf o r m a ti o n Technology Department
Procedure Document
Patch Management Procedure Internal Page 4
4. Patch Management flow-chart
I nf o r m a ti o n Technology Department
Procedure Document
Patch Management Internal Page 5
5. Patch Management Procedure
5.1.1Inventory of all systems & applications
Information security Team & System Administrators
Getting a complete inventory for all in scope systems & applications for example; all routers, their model & their OS or version.
5.1.2Running a Vulnerability analysis
Information security Team & System Administrators
The analysis should verify the current patch status, possible vulnerabilities, and what steps are needed for remediation.
5.1.3Analysing severity of the vulnerabilities
Information security Team
Determine the severity level based on the scope and of the event.
analysing the severity should be categorized to 3 categories.
• Low
• Medium
• High
5.1.4 Obtaining the correct patches
Preparing for applying patches on all in scope software & systems.
I nf o r m a ti o n Technology Department
Procedure Document
Patch Management Procedure Internal Page 6
5.2.1 Implementing Patches on a Test environment
Assure that patches are stable and have no adverse effect. Patch must not affect the current Production environment. Once confirmed, Patches should be applied to selected users for further testing.
5.2.2 Implementing patches a Production (Live) system
Make sure Patches are installed properly. To assure there is a smooth roll-out, there must be a good plan for roll-back if anything went wrong Patches must be installed within 30 days of its release.
5.3. the Network once again
Information security Team
To assure that all machine received the intended patch and if applicable, determine why the un- patched systems did not.
5.3.2Update System Configuration Standard
Information security Team
System Administrators
Once the patches are successfully implemented, all System Configuration standard should be updated to reflect the updates.
5.3.3 Daily Vulnerability Check
Information security Team
To maintain all machines & software with the latest patches
I nf o r m a ti o n Technology Department
Procedure Document
Patch Management Procedure Internal Page 7
Associated Documentation
• Vulnerability Assessment reports
• Penetration Test Reports
• Bulletin details
Measurement KPIs
Measure whether the released security and critical MS patches are being installed in environment
scan reports, Missing patch reports
100% of Servers need to have security and Critical Patches installed.
Atleast 95% of the end users system need to have updated and Critical Patches installed.
