Purpose

The purpose of this policy is to establish a process for patching software vulnerabilities in order to protect the confidentiality, integrity and availability of information systems and data.

Scope

This policy applies to all information systems and data owned or operated by Bitz ‘n’ PC’z Ltd (the company).

Information Systems refers to:

  • Physical Servers
  • Virtual Servers
  • Cloud hosted Servers
  • End user compute devices (laptops/desktops etc.)
  • Mobile devices (phones, tablets etc.)
  • Server Operating Systems (both Microsoft and non-Microsoft)
  • Server Applications – (i.e.: Microsoft IIS or SQL etc.)
  • Productivity Tools such as MS Office, Adobe Reader, and Web Browsers
  • Device firmware

Policy

  1. All software must be patched as soon as possible after a vulnerability is identified.
  2. Patches must be tested before they are deployed to production systems.
  3. Patches must be deployed to production systems in a timely manner.
  4. Patches must be monitored to ensure that they are effective.

For Microsoft updates, the following severity ratings are used to determine when a patch is installed:

  • Critical: Critical vulnerabilities should be patched as soon as possible (preferably within 24 hours, but up to 14 days of being released). These vulnerabilities are considered to be the most severe, and they could allow attackers to take control of your system or steal your data.
  • Important: Important vulnerabilities should be patched within 14 days of being released. These vulnerabilities are considered to be serious, and they could allow attackers to gain access to your system or data.
  • Moderate: Moderate vulnerabilities should be patched within 21 days of being released. These vulnerabilities are considered to be less serious, but they could still allow attackers to exploit your system or data.
  • Low: Low vulnerabilities should be patched within 28 days of being released. These vulnerabilities are considered to be the least serious, but they could still be exploited by attackers.

Implementation

The company will implement the following procedures to implement this policy:

  1. The company will use a vulnerability management tool to identify software vulnerabilities.
  2. The company will use a patch management tool to deploy patches to systems.
  3. The company will use a monitoring tool to monitor the effectiveness of patches.

Compliance

The company will conduct regular audits to ensure compliance with this policy. Any employee who violates this policy may be subject to disciplinary action, up to and including termination of employment.

Automated tools

The company will use automated tools to keep devices up-to-date, such as Winget and Chocolatey. These tools will be used to automatically download and install patches for operating systems, web browsers and other software.  All software, where applicable, will also be set to auto update.

Benefits of using automated tools

Automated tools can help to improve the efficiency and effectiveness of the patching process. They can also help to reduce the risk of human error. Additionally, automated tools can help to ensure that all devices are up-to-date with the latest patches, which can help to protect against security vulnerabilities.

Definitions

  • Vulnerability: A weakness in a system or application that can be exploited by an attacker.
  • Patch: A software update that addresses a vulnerability.
  • Vulnerability management: The process of identifying, assessing, and mitigating vulnerabilities.
  • Patch management: The process of deploying patches to systems.
  • Change management: The process of managing changes to systems.
  • Monitoring: The process of observing systems to identify problems.