Patch Management Policy 1.0 for Organizations

                                                       

Patch Management Policy 1.0

Created by

bhawanraj

Submitted to 

All organization

1.0 Overview

Organizations are responsible for ensuring the confidentiality, integrity, and availability its data and that of customer data stored on its systems. Client has an obligation to provide appropriate protection against various vulnerabilities and malware threats which could adversely affect the security of the system or its data entrusted on the system. Effective implementation of this policy will limit the exposure and effect of common vulnerability to the systems within this scope.

2.0 Purpose

This document describes the Patch management and vulnerability management requirements for maintaining up-to-date operating system security patches on all organizations owned and managed servers.

3.0 Scope

This policy applies to all servers owned and managed by organization.  This includes systems that contain company or customer data owned or managed by Clients regardless of location. The following systems have been categorized according to management:

●     Microsoft Windows servers managed by Windows Engineering Team

4.0 Policy

All windows servers owned by Client must have up-to-date (as defined by Patch management minimum baseline standards) operating system security patches installed to protect the asset from known vulnerabilities. 

4.1 Servers

Servers must comply with the minimum baseline requirements that have been approved by the Patch Management Team.  These minimum baseline requirements define the default operating system level, service pack, hotfix, and patch level required to ensure the security of the Client asset and the data that resides on the system.  Any exception to the policy must be documented and forwarded to the Patch Management Team for review. 

5.0 Roles and Responsibilities

●     Windows Engineering (Wintel Team) will manage the patching needs for the Microsoft Windows servers on the network.

●     Information Security is responsible for routinely assessing compliance with the patching policy and will provide guidance to all groups in issues of security and patch management.

●     The Change Management Board is responsible for approving the monthly/ Quarterly and emergency patch management deployment requests.

6.0 Monitoring and Reporting

Active patching teams noted in the Roles and Responsibility section (5.0) are required to compile and maintain reporting metrics that summarize the outcome of each patching cycle.  These reports shall be used to evaluate the current patching levels of all systems and to assess the current level of risk.  These reports shall be made available to Information Security and Internal Audit upon request.

   

7.0 Enforcement

Implementation and enforcement of this policy is ultimately the responsibility of all employees at Client.  Information Security and Internal Audit may conduct random assessments to ensure compliance with policy without notice. Any system found in violation of this policy shall require immediate corrective action. Violations shall be noted in the Clients issue tracking system and support teams shall be dispatched to remediation of the issue.  Repeated failures to follow policy may lead to disciplinary action.  

8.0 Exceptions

Exceptions to the patch management policy require formal documented approval from the Patch Management Team.  Any servers that do not comply with policy must have an approved exception on file with the Patch Management Team. 

9.0 Definitions

Term                           Definition

Patch                           A piece of software designed to fix problems with or update a computer program or its supporting data

Trojan                         A class of computer threats (malware) that appears to perform a desirable function but in fact performs undisclosed malicious functions

Virus                           A computer program that can copy itself and infect a computer without the permission or knowledge of the owner.

Worm                          A self-replicating computer program that uses a network to send copies of itself to other nodes.  May cause harm by consuming bandwidth.

1.1 Revision History

1.0 initial policy version, 14/09/2018