| Contents |
|---|
| |
Overview
A process should be established for the deployment of system and software patches which includes:
- Creation of an asset inventory
- Defining roles and responsibility
- Determining importance of systems and patch rankings
- A documented patch management process
Asset Inventory
Defining roles and responsibility
Systems and Patch Rankings
Critical Security Threats |
High |
Medium |
Low |
|---|---|---|---|
Vendor Patches and security updates defined as "high," "critical" or "urgent" for all system components and other IT resources affected by threat |
X |
|
|
Vendor Patches and security updates with remote exploits actively spreading in the wild |
X |
|
|
Vendor Patches and security updates defined as "medium," "moderate" or "important" for all system components and other IT resources affected by threat |
|
X |
|
Vendor Patches and security updates defined as "low," "non-essential" or "non-urgent" for all system components and other IT resources affected by threat |
|
|
X |
Patch Management Process
The patch management process should:
a) determine methods of obtaining patches
b) specify methods of validating patches (e.g., ensuring that the patch is from an authorized source)
c) identify vulnerabilities that are applicable to the installation
d) assess the business impact of implementing patches (or not implementing a particular patch)
e) ensure patches are tested against known criteria
f) describe methods of deploying patches (e.g., using software distribution tools)
g) report on the status of patch deployment within the installation
h) include methods of dealing with the failed deployment of a patch (e.g., redeployment of the patch).