Policy Reference


Category IT Asset and Risk Management
Approval Date  01-29-2010
Scope All Personnel

 

Purpose

The purpose of this policy is to minimize security vulnerabilities  by utilizing  up-to-date system software and  installing recommended security related software updates in a timely manner.



Policy

 
  1. ITS  will have patch management standards with patch identification, evaluation, request and approval, testing, rollback, implementation, and documentation procedures.
  2. ITS  will maintain a standard and appropriate procedures to ensure that all critical and important security updates available to date are installed in a timely manner.
  3. ITS will ensure that all security and update patches are tested and evaluated for operational impact before they are deployed.


Compliance

  1. If there is a new firmware release, install it in the router.
    Keep firewalls up to date, and install available patches regularly.
    Keep the OS up-to-date and patched regularly.
    Keep RDBMS up-to-date, and patch regularly.
    Keep Web servers up-to-date, also patch, and scan regularly.
    Keep the application server up-to-date, and patch and scan regularly.
    Scan and patch DNS servers regularly.
    Scan and patch mail servers regularly.
    § 3-3, § 3-4, § 3-8, § 3-10, § 3-13, § 3-15, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003
  2. Procedures should be in place by software vendors for the development and deployment of security patches and upgrades in a timely manner. All patches and upgrades should be delivered securely using a known chain-of-trust and a method that maintains the integrity of the patches/upgrades. Measures should be taken to ensure the application does not interfere with the installation of patches or updates. § 7.2, § 8.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1
  3. Patch management procedures should specify what hardware and software should be patched and how the patches will be distributed. The patch management process should have procedures in place to specify how patches will be obtained and validated, what the business impact will be of installing or not installing the patches, how patches will be deployed and tested, and how to deal with failed patch deployments. SM5.6.1, SM5.6.4, CI2.3.6(a), CI2.3.6(b), CI3.6.1, CI3.6.4, The Standard of Good Practice for Information Security