Information Technology Department

Procedure Document

Patch Management Procedure Internal Page 1

Patch Management Procedure

HistoryLog

Version

Date

Author

1.0

1

st

November 2017

Information Dynamics

1.1

26

th

January 2019

Information Dynamics

1.2

10

th

Dec 2019

Information Dynamics, Added

KPI

1.3

08

th

Dec 2020

Shaik & Mani

1.4

08

th

Dec 2021

Shaik & Soundar

Information Technology Department

Procedure Document

Patch Management Procedure Internal Page 2

1. Introduction

The purpose of this procedure is to ensure that software & computer systems attached to

Information Dynamics network are updated accurately and timely with security

protection mechanisms (patches) for known vulnerabilities and exploits. These

mechanisms are intended to reduce or eliminate the vulnerabilities and exploits with

limited impact to the business.

2.Scope

This procedure applies to all Software, Servers OS, Desktops OS, Laptops OS, Printers

firmware & Network elements firmware of Information Dynamics.

The scope will be applicable to all activities under the scope statement of Information

Dynamics.

ISO 27001:2013 Domain Reference: A.12.6.1 – Technical Vulnerability Management

3. Roles and Responsibilities

Responsibilities required for fulfilling the utilization, support and administration roles for

the patch management procedure are identified and documented within a standardized

framework.

Support Role

Responsibility

Corporate Security

Department -

Information Security Team

Monitoring

 Daily, Weekly and Monthly Review of current patch versions.

 Receipt of escalated events

 Tracking of vulnerabilities & new fixes

 Reporting Medium/High Risk vulnerabilities to the Incident

Response Team.

Information Technology Department

Procedure Document

Patch Management Procedure Internal Page 3

Support Role

Responsibility

IT Infrastructure Department

IT Network

 Patching and updating Network Elements(F/W, Routers,

Switches, IPS/IDS etc) with the latest patches.

 Communicate patches &updates to Information Security Team

 Notification of any suspect security event (OS level) to the

Information Security Team

 Organise System backup before patching

 Conduct periodic review of security events with the Information

Security Team

 Inform and review high risk vulnerabilities and alerts with

Information Security Team.

Application Administrators

 Patching and updating Applications with the latest patches.

 Communicate patches & updates to Information Security Team.

 Conduct periodic review of security events with the Information

Security Team& with the vendor.

 Inform and review high risk vulnerabilities and alerts with

Information Security Team.

System Administrators

 Patching and updating OS (Sun, Windows etc)with the latest

patches.

 Communicate patches & updates to Information Security Team

 Notification of any suspect security event (OS level) to the

Information Security Team

 Organise System backup before patching

 Conduct periodic review of security events with the Information

Security Team

 Inform and review high risk vulnerabilities and alerts with

Information Security Team..

Help Desk

 Notify Information Security Team about malicious/ suspicious

activity/complaints on the network

Information Technology Department

Procedure Document

Patch Management Procedure Internal Page 4

4. Patch Management flow-chart

Inventory of all

systems &

applications

Roll-Back

Succeeded

Running a

Vulnerability analysis

Analysing severity of

the vulnerabilities

Obtaining the correct

patches

Implementing

patches on a test

environment

Testing Roll-Back

Procedure

Implementing

patches on a live

system

Yes

No

Scanning the

network once again

All Patches

in Place

No

Daily vulnerability

check

Yes

New

Vulnerability

Yes

No

Pre Deployment

End

Pre Deployment

Start

Post Deployment

Start

Information Technology Department

Procedure Document

Patch Management Procedure Internal Page 5

5. Patch Management Procedure

5.1Pre Deployment

5.1.1Inventory of all systems & applications

Assigned Area

Objective

Information security Team &

System Administrators

Getting a complete inventory for all in scope

systems & applications for example; all routers,

their model & their OS or firmware version.

5.1.2Running a Vulnerability analysis

Assigned Area

Objective

Information security Team &

System Administrators

The analysis should verify the current patch status,

possible vulnerabilities, and what steps are needed

for remediation.

5.1.3Analysing severity of the vulnerabilities

Assigned Area

Objective

Information security Team

Determine the severity level based on the scope

and impact of the event.

After analysing the severity should be categorized to 3 categories.

• Low

• Medium

• High

5.1.4 Obtaining the correct patches

Assigned Area

Objective

System Administrators

Preparing for applying patches on all in scope

software & systems.

Information Technology Department

Procedure Document

Patch Management Procedure Internal Page 6

5.2 Deployment

5.2.1 Implementing Patches on a Test environment

Assigned Area

Objective

System Administrators

Assure that patches are stable and have no adverse

effect. Patch must not affect the current

Production environment. Once confirmed, Patches

should be applied to selected users for further

testing.

5.2.2 Implementing patches on a Production (Live) system

Assigned Area

Objective

System Administrators

Make sure Patches are installed properly. To

assure there is a smooth roll-out, there must be a

good plan for roll-back if anything went wrong

Patches must be installed within 30 days of its

release.

5.3 Post Deployment

5.3.1Scanning the Network once again

Assigned Area

Objective

Information security Team

To assure that all machine received the intended

patch and if applicable, determine why the un-

patched systems did not.

5.3.2Update System Configuration Standard

Assigned Area

Objective

Information security Team

System Administrators

Once the patches are successfully implemented,

all System Configuration standard should be

updated to reflect the updates.

5.3.3 Daily Vulnerability Check

Assigned Area

Objective

Information security Team

To maintain all machines & software with the

latest patches

Information Technology Department

Procedure Document

Patch Management Procedure Internal Page 7

Associated Documentation

• Vulnerability Assessment reports

• Penetration Test Reports

• MS Bulletin details

Measurement KPIs

KPI

Frequency

Objective

Data Source

Threshold

Patch

Management

Process

Quarterly

Measure whether

the released

security and critical

MS patches are

being installed in

the environment

VA scan reports,

Missing patch

reports

100% of Servers

need to have

updated security

and Critical

Patches

installed.

Atleast 95% of

the end users

system need to

have updated

security and

Critical Patches

installed.