SlideShare a Scribd company logo

Patch management policy_final

Ayubu Churi
Ayubu Churi

This document outlines the University of Exeter's patch management policy. It defines the scope of IT systems covered, including those managed by third parties. The policy requires that all systems must have up-to-date operating systems and applications, and install critical and high risk patches within 14 days. It assigns roles for patching activities and requires monitoring and reporting on patching status. The policy is reviewed annually or as needed to ensure alignment with relevant laws and best practices.

Design
1 of 6
Download to read offline
Patch Management Policy v1 1 Patch Management Policy (Version 1) Document Control Information: Date: 21/5/18 Master Tracking Name Patch Management Policy Master Tracking Reference Owning Service / Department Exeter IT Issue: 1 Approvals: Authors: P. Jones, T. Dyhouse and Ali Mitchell Approved By: Exeter IT Senior Management Team Authorised By: Chief Information & Digital Officer
Patch Management Policy v1 2 Document Control Author Version Date Issued Changes Approval P. Jones 0.1 04/09/17 Creation of document T. Dyhouse 0.2 27/09/17 QA of V0.1 addition of CAB measures. P Jones 0.3 October 2017 Updates from CGR and split into two documents. Ali Mitchell 1.0 May 2018 Format and added in Third Party Suppliers Published Next review due: July 2018
Patch Management Policy v1 3 Contents 1 Introduction…………………………………………………………………….4 2 Purpose………………………………………………………………………….4 3 Definitions………………………………………………………………………4 4 Scope…………………………………………………………………………….4 5 Policy…………………………………………………………………………….5 6 Roles and responsibilities……………………………………………………6 7 Monitoring and reporting……………………………………………………..6 8 Policy review and maintenance……………………………………………..6 9 Advice……………………………………………………………………………6
Patch Management Policy v1 4 1. Introduction The University of Exeter has a responsibility to uphold the confidentiality, integrity and availability of the data held on its IT systems on and off site which includes systems and services supplied by third parties. The university has an obligation to provide appropriate and adequate protection of all IT estate whether it is IT systems on premise, in the Cloud or systems and services supplied by third parties. Effective implementation of this policy reduces the likelihood of compromise which may come from a malicious threat actor or threat source. 2. Purpose This document describes the requirements for maintaining up-to-date operating system security patches and software version levels on all the University of Exeter owned estate and services supplied by third parties. 3. Definitions The term IT systems includes:  Workstations  Servers (physical and virtual)  Firmware  Networks (including hardwired, Wi-Fi, switches, routers etc.)  Hardware  Software (databases, platforms etc.)  Applications (including mobile apps)  Cloud Services 4. Scope This policy applies to:  Workstations, servers, networks, hardware devices, software and applications owned by the University of Exeter and managed by Exeter IT. This includes third parties supporting University of Exeter IT systems.  Systems that contain company or customer data owned or managed by Exeter IT regardless of location. Again, this includes third party suppliers.  CCTV systems where recordings are backed up to the University’s networks.  Point of payment terminals using University of Exeter’s networks.  Third party suppliers of IT systems as defined in Section 3.
Patch Management Policy v1 5 5. Policy University controls:  All IT systems (as defined in section 3), either owned by the University of Exeter or those in the process of being developed and supported by third parties, must be manufacturer supported and have up-to-date and security patched operating systems and application software.  Security patches must be installed to protect the assets from known vulnerabilities.  Any patches categorised as ‘Critical’ or ‘High risk’ by the vendor must be installed within 14 days of release from the operating system or application vendor unless prevented by University IT Change Control (CAB – Change Advisory Board) procedures.  Where CAB procedures prevent the installation of ‘Critical’ or ‘High risk’ security patches within 14 days a temporary means of mitigation will be applied to reduce the risk. o Workstations  All desktops and laptops that are managed by Exeter IT must meet the Laptop and Workstation Build Policy minimum requirements in build and setup. Any exceptions shall be documented and reported to Exeter IT Head of IT Security and Compliance. o Servers  Servers must comply with the recommended minimum requirements that are specified by Exeter IT which includes the default operating system level, service packs, hotfixes and patching levels. Any exceptions shall be documented and reported to Exeter IT Head of Security and Compliance. Third Party Suppliers: Security patches must be up-to-date for IT systems which are being designed and delivered by third party suppliers prior to going operational. Third party suppliers much be prepared to provide evidence of up-to-date patching before IT systems are accepted into service and thus become operational. Once the IT systems are operational the following patching timescales apply:  Critical or High Risk vulnerabilities – 14 calendar days  Medium – 21 calendar days  Low – 28 calendar days
Patch Management Policy v1 6 6. Roles and Responsibilities  Exeter IT. o Will manage the patching needs for the Windows, Apple Mac OS and Linux estate that is connected to the University of Exeter domain. o Responsible for routinely assessing compliance with the patching policy and will provide guidance to all the stakeholder groups in relation to issues of security and patch management.  Change Advisory Board. o Responsible for approving the monthly and emergency patch management deployment requests.  End User. o The end user has a responsibility to ensure that patches are installed and the machine is rebooted when required. Any problems must be reported to Exeter IT.  Third Party Suppliers o Will ensure security patches must be up-to-date for IT systems which are being designed and delivered by third party suppliers prior to going operational. o Once the IT systems are operational third party suppliers must ensure vulnerability patching is carried out as stipulated in Section 5 – Policy. Where this is not possible, this must be escalated to the Head of IT Security and Compliance. 7. Monitoring and Reporting Those with patching roles as detailed in section 6 above are required to compile and maintain reporting metrics that summarise the outcome of each patching cycle. These reports shall be used to evaluate the current patching levels of all systems and to assess the current level of risk. These reports shall be made available to Cyber Security Team and Internal Audit upon request. 8. Policy Review and Maintenance The Policy will be reviewed and updated, annually, or as needed, to ensure that the policy remains aligned with changes to relevant laws, contractually obligations and best practice. 9. For advice Please contact either the Head of IT Security and Compliance or the IT Operations and Security Manager. Queries can be emailed to information-security@exeter.ac.uk

Recommended

Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices Ivanti
 
Everything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsEverything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsIvanti
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointIvanti
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019Ivanti
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesIvanti
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
 
Patch Management - 2013
Patch Management - 2013Patch Management - 2013
Patch Management - 2013Vicky Ames
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 

Recommended

Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices Ivanti
 
Everything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsEverything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsIvanti
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointIvanti
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019Ivanti
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesIvanti
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
 
Patch Management - 2013
Patch Management - 2013Patch Management - 2013
Patch Management - 2013Vicky Ames
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM SuccessAlienVault
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseLumension
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienVault
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information Systemnewbie2019
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMAlienVault
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG ReportPriyanka Aash
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverAlienVault
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMAlienVault
 
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...Qualys
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVaultAlienVault
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment QuestionnairePriyanka Aash
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacysoftware-engineering-book
 
PLAN DE CONTINGENCIA.pdf
PLAN DE CONTINGENCIA.pdfPLAN DE CONTINGENCIA.pdf
PLAN DE CONTINGENCIA.pdfjosemaza20
 
Policy and procedure of hospitals
Policy and procedure of hospitalsPolicy and procedure of hospitals
Policy and procedure of hospitalsMohammed Alabdali
 

More Related Content

What's hot

Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM SuccessAlienVault
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseLumension
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienVault
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information Systemnewbie2019
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMAlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverAlienVault
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMAlienVault
 
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...Qualys
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVaultAlienVault
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment QuestionnairePriyanka Aash
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacysoftware-engineering-book
 

What's hot (20)

Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of Defense
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG Report
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
 
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEO
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability Management
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
 
3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
 

Similar to Patch management policy_final

PLAN DE CONTINGENCIA.pdf
PLAN DE CONTINGENCIA.pdfPLAN DE CONTINGENCIA.pdf
PLAN DE CONTINGENCIA.pdfjosemaza20
 
Policy and procedure of hospitals
Policy and procedure of hospitalsPolicy and procedure of hospitals
Policy and procedure of hospitalsMohammed Alabdali
 
Task 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remaiTask 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remaialehosickg3
 
Network Developement Capstone Project 2009 Sping Quarter
Network Developement Capstone Project 2009 Sping QuarterNetwork Developement Capstone Project 2009 Sping Quarter
Network Developement Capstone Project 2009 Sping Quarterrichlan421
 
201810003 201750007project report
201810003 201750007project report201810003 201750007project report
201810003 201750007project reportssuser219889
 
Guidelines on Cyber Security in Power Sector 2021_R.pptx
Guidelines on Cyber Security in Power Sector 2021_R.pptxGuidelines on Cyber Security in Power Sector 2021_R.pptx
Guidelines on Cyber Security in Power Sector 2021_R.pptxsrinivascooldude58
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxshantayjewison
 
Absolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-ComplianceAbsolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-ComplianceSébastien Roques
 
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET Journal
 
IT Application Support Analyst Job Spec
IT Application Support Analyst Job SpecIT Application Support Analyst Job Spec
IT Application Support Analyst Job SpecLorraine Hodder
 
CONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docx
CONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docxCONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docx
CONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docxdonnajames55
 
Closing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet EnterpriseClosing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet Enterprisebagnalldarren
 
IIOT on Variable Frequency Drives
IIOT on Variable Frequency DrivesIIOT on Variable Frequency Drives
IIOT on Variable Frequency Drivesmuthamizh adhithan
 
Case Study - Monitoring and Evaluating the working of Telenor and ZTE
Case Study - Monitoring and Evaluating the working of Telenor and ZTECase Study - Monitoring and Evaluating the working of Telenor and ZTE
Case Study - Monitoring and Evaluating the working of Telenor and ZTEAsim Ranjha
 
Capstone Finished Presentation.doc
Capstone Finished Presentation.docCapstone Finished Presentation.doc
Capstone Finished Presentation.docKapricia Morris
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
 
security and system mainatance
security and system mainatancesecurity and system mainatance
security and system mainatanceKudzi Chikwatu
 
1 CITY OF DuPONT REQUEST FOR PROPOSALS .docx
1 CITY OF DuPONT REQUEST FOR PROPOSALS .docx1 CITY OF DuPONT REQUEST FOR PROPOSALS .docx
1 CITY OF DuPONT REQUEST FOR PROPOSALS .docxkarisariddell
 

Similar to Patch management policy_final (20)

PLAN DE CONTINGENCIA.pdf
PLAN DE CONTINGENCIA.pdfPLAN DE CONTINGENCIA.pdf
PLAN DE CONTINGENCIA.pdf
 
Policy and procedure of hospitals
Policy and procedure of hospitalsPolicy and procedure of hospitals
Policy and procedure of hospitals
 
Task 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remaiTask 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remai
 
Network Developement Capstone Project 2009 Sping Quarter
Network Developement Capstone Project 2009 Sping QuarterNetwork Developement Capstone Project 2009 Sping Quarter
Network Developement Capstone Project 2009 Sping Quarter
 
201810003 201750007project report
201810003 201750007project report201810003 201750007project report
201810003 201750007project report
 
Guidelines on Cyber Security in Power Sector 2021_R.pptx
Guidelines on Cyber Security in Power Sector 2021_R.pptxGuidelines on Cyber Security in Power Sector 2021_R.pptx
Guidelines on Cyber Security in Power Sector 2021_R.pptx
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
 
Absolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-ComplianceAbsolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-Compliance
 
Absolute grc-
Absolute grc-Absolute grc-
Absolute grc-
 
Capstone Finished
Capstone FinishedCapstone Finished
Capstone Finished
 
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
 
IT Application Support Analyst Job Spec
IT Application Support Analyst Job SpecIT Application Support Analyst Job Spec
IT Application Support Analyst Job Spec
 
CONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docx
CONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docxCONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docx
CONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docx
 
Closing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet EnterpriseClosing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet Enterprise
 
IIOT on Variable Frequency Drives
IIOT on Variable Frequency DrivesIIOT on Variable Frequency Drives
IIOT on Variable Frequency Drives
 
Case Study - Monitoring and Evaluating the working of Telenor and ZTE
Case Study - Monitoring and Evaluating the working of Telenor and ZTECase Study - Monitoring and Evaluating the working of Telenor and ZTE
Case Study - Monitoring and Evaluating the working of Telenor and ZTE
 
Capstone Finished Presentation.doc
Capstone Finished Presentation.docCapstone Finished Presentation.doc
Capstone Finished Presentation.doc
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
 
security and system mainatance
security and system mainatancesecurity and system mainatance
security and system mainatance
 
1 CITY OF DuPONT REQUEST FOR PROPOSALS .docx
1 CITY OF DuPONT REQUEST FOR PROPOSALS .docx1 CITY OF DuPONT REQUEST FOR PROPOSALS .docx
1 CITY OF DuPONT REQUEST FOR PROPOSALS .docx
 

Recently uploaded

VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...
VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...
VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...SUHANI PANDEY
 
Pooja 9892124323, Call girls Services and Mumbai Escort Service Near Hotel Gi...
Pooja 9892124323, Call girls Services and Mumbai Escort Service Near Hotel Gi...Pooja 9892124323, Call girls Services and Mumbai Escort Service Near Hotel Gi...
Pooja 9892124323, Call girls Services and Mumbai Escort Service Near Hotel Gi...Pooja Nehwal
 
Best VIP Call Girls Noida Sector 47 Call Me: 8448380779
Best VIP Call Girls Noida Sector 47 Call Me: 8448380779Best VIP Call Girls Noida Sector 47 Call Me: 8448380779
Best VIP Call Girls Noida Sector 47 Call Me: 8448380779Delhi Call girls
 
Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...amitlee9823
 
Kala jadu for love marriage | Real amil baba | Famous amil baba | kala jadu n...
Kala jadu for love marriage | Real amil baba | Famous amil baba | kala jadu n...Kala jadu for love marriage | Real amil baba | Famous amil baba | kala jadu n...
Kala jadu for love marriage | Real amil baba | Famous amil baba | kala jadu n...babafaisel
 
Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)amitlee9823
 
call girls in Vasundhra (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
call girls in Vasundhra (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...call girls in Vasundhra (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
call girls in Vasundhra (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...Delhi Call girls
 
Editorial design Magazine design project.pdf
Editorial design Magazine design project.pdfEditorial design Magazine design project.pdf
Editorial design Magazine design project.pdftbatkhuu1
 
(AISHA) Ambegaon Khurd Call Girls Just Call 7001035870 [ Cash on Delivery ] P...
(AISHA) Ambegaon Khurd Call Girls Just Call 7001035870 [ Cash on Delivery ] P...(AISHA) Ambegaon Khurd Call Girls Just Call 7001035870 [ Cash on Delivery ] P...
(AISHA) Ambegaon Khurd Call Girls Just Call 7001035870 [ Cash on Delivery ] P...ranjana rawat
 
Case Study of Hotel Taj Vivanta, Pune
Case Study of Hotel Taj Vivanta, PuneCase Study of Hotel Taj Vivanta, Pune
Case Study of Hotel Taj Vivanta, PuneLukeKholes
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
Peaches App development presentation deck
Peaches App development presentation deckPeaches App development presentation deck
Peaches App development presentation decktbatkhuu1
 
Tapestry Clothing Brands: Collapsing the Funnel
Tapestry Clothing Brands: Collapsing the FunnelTapestry Clothing Brands: Collapsing the Funnel
Tapestry Clothing Brands: Collapsing the Funneljen_giacalone
 
call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...Delhi Call girls
 
Government polytechnic college-1.pptxabcd
Government polytechnic college-1.pptxabcdGovernment polytechnic college-1.pptxabcd
Government polytechnic college-1.pptxabcdshivubhavv
 
UI:UX Design and Empowerment Strategies for Underprivileged Transgender Indiv...
UI:UX Design and Empowerment Strategies for Underprivileged Transgender Indiv...UI:UX Design and Empowerment Strategies for Underprivileged Transgender Indiv...
UI:UX Design and Empowerment Strategies for Underprivileged Transgender Indiv...RitikaRoy32
 
DragonBall PowerPoint Template for demo.pptx
DragonBall PowerPoint Template for demo.pptxDragonBall PowerPoint Template for demo.pptx
DragonBall PowerPoint Template for demo.pptxmirandajeremy200221
 

Recently uploaded (20)

young call girls in Vivek Vihar🔝 9953056974 🔝 Delhi escort Service
young call girls in Vivek Vihar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Vivek Vihar🔝 9953056974 🔝 Delhi escort Service
young call girls in Vivek Vihar🔝 9953056974 🔝 Delhi escort Service
 
young call girls in Pandav nagar 🔝 9953056974 🔝 Delhi escort Service
young call girls in Pandav nagar 🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Pandav nagar 🔝 9953056974 🔝 Delhi escort Service
young call girls in Pandav nagar 🔝 9953056974 🔝 Delhi escort Service
 
VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...
VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...
VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...
 
Pooja 9892124323, Call girls Services and Mumbai Escort Service Near Hotel Gi...
Pooja 9892124323, Call girls Services and Mumbai Escort Service Near Hotel Gi...Pooja 9892124323, Call girls Services and Mumbai Escort Service Near Hotel Gi...
Pooja 9892124323, Call girls Services and Mumbai Escort Service Near Hotel Gi...
 
Best VIP Call Girls Noida Sector 47 Call Me: 8448380779
Best VIP Call Girls Noida Sector 47 Call Me: 8448380779Best VIP Call Girls Noida Sector 47 Call Me: 8448380779
Best VIP Call Girls Noida Sector 47 Call Me: 8448380779
 
Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
Kala jadu for love marriage | Real amil baba | Famous amil baba | kala jadu n...
Kala jadu for love marriage | Real amil baba | Famous amil baba | kala jadu n...Kala jadu for love marriage | Real amil baba | Famous amil baba | kala jadu n...
Kala jadu for love marriage | Real amil baba | Famous amil baba | kala jadu n...
 
Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)
 
Call Girls Service Mukherjee Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...
Call Girls Service Mukherjee Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...Call Girls Service Mukherjee Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...
Call Girls Service Mukherjee Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...
 
call girls in Vasundhra (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
call girls in Vasundhra (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...call girls in Vasundhra (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
call girls in Vasundhra (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
 
Editorial design Magazine design project.pdf
Editorial design Magazine design project.pdfEditorial design Magazine design project.pdf
Editorial design Magazine design project.pdf
 
(AISHA) Ambegaon Khurd Call Girls Just Call 7001035870 [ Cash on Delivery ] P...
(AISHA) Ambegaon Khurd Call Girls Just Call 7001035870 [ Cash on Delivery ] P...(AISHA) Ambegaon Khurd Call Girls Just Call 7001035870 [ Cash on Delivery ] P...
(AISHA) Ambegaon Khurd Call Girls Just Call 7001035870 [ Cash on Delivery ] P...
 
Case Study of Hotel Taj Vivanta, Pune
Case Study of Hotel Taj Vivanta, PuneCase Study of Hotel Taj Vivanta, Pune
Case Study of Hotel Taj Vivanta, Pune
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Peaches App development presentation deck
Peaches App development presentation deckPeaches App development presentation deck
Peaches App development presentation deck
 
Tapestry Clothing Brands: Collapsing the Funnel
Tapestry Clothing Brands: Collapsing the FunnelTapestry Clothing Brands: Collapsing the Funnel
Tapestry Clothing Brands: Collapsing the Funnel
 
call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
 
Government polytechnic college-1.pptxabcd
Government polytechnic college-1.pptxabcdGovernment polytechnic college-1.pptxabcd
Government polytechnic college-1.pptxabcd
 
UI:UX Design and Empowerment Strategies for Underprivileged Transgender Indiv...
UI:UX Design and Empowerment Strategies for Underprivileged Transgender Indiv...UI:UX Design and Empowerment Strategies for Underprivileged Transgender Indiv...
UI:UX Design and Empowerment Strategies for Underprivileged Transgender Indiv...
 
DragonBall PowerPoint Template for demo.pptx
DragonBall PowerPoint Template for demo.pptxDragonBall PowerPoint Template for demo.pptx
DragonBall PowerPoint Template for demo.pptx
 

Patch management policy_final

  • 1. Patch Management Policy v1 1 Patch Management Policy (Version 1) Document Control Information: Date: 21/5/18 Master Tracking Name Patch Management Policy Master Tracking Reference Owning Service / Department Exeter IT Issue: 1 Approvals: Authors: P. Jones, T. Dyhouse and Ali Mitchell Approved By: Exeter IT Senior Management Team Authorised By: Chief Information & Digital Officer
  • 2. Patch Management Policy v1 2 Document Control Author Version Date Issued Changes Approval P. Jones 0.1 04/09/17 Creation of document T. Dyhouse 0.2 27/09/17 QA of V0.1 addition of CAB measures. P Jones 0.3 October 2017 Updates from CGR and split into two documents. Ali Mitchell 1.0 May 2018 Format and added in Third Party Suppliers Published Next review due: July 2018
  • 3. Patch Management Policy v1 3 Contents 1 Introduction…………………………………………………………………….4 2 Purpose………………………………………………………………………….4 3 Definitions………………………………………………………………………4 4 Scope…………………………………………………………………………….4 5 Policy…………………………………………………………………………….5 6 Roles and responsibilities……………………………………………………6 7 Monitoring and reporting……………………………………………………..6 8 Policy review and maintenance……………………………………………..6 9 Advice……………………………………………………………………………6
  • 4. Patch Management Policy v1 4 1. Introduction The University of Exeter has a responsibility to uphold the confidentiality, integrity and availability of the data held on its IT systems on and off site which includes systems and services supplied by third parties. The university has an obligation to provide appropriate and adequate protection of all IT estate whether it is IT systems on premise, in the Cloud or systems and services supplied by third parties. Effective implementation of this policy reduces the likelihood of compromise which may come from a malicious threat actor or threat source. 2. Purpose This document describes the requirements for maintaining up-to-date operating system security patches and software version levels on all the University of Exeter owned estate and services supplied by third parties. 3. Definitions The term IT systems includes:  Workstations  Servers (physical and virtual)  Firmware  Networks (including hardwired, Wi-Fi, switches, routers etc.)  Hardware  Software (databases, platforms etc.)  Applications (including mobile apps)  Cloud Services 4. Scope This policy applies to:  Workstations, servers, networks, hardware devices, software and applications owned by the University of Exeter and managed by Exeter IT. This includes third parties supporting University of Exeter IT systems.  Systems that contain company or customer data owned or managed by Exeter IT regardless of location. Again, this includes third party suppliers.  CCTV systems where recordings are backed up to the University’s networks.  Point of payment terminals using University of Exeter’s networks.  Third party suppliers of IT systems as defined in Section 3.
  • 5. Patch Management Policy v1 5 5. Policy University controls:  All IT systems (as defined in section 3), either owned by the University of Exeter or those in the process of being developed and supported by third parties, must be manufacturer supported and have up-to-date and security patched operating systems and application software.  Security patches must be installed to protect the assets from known vulnerabilities.  Any patches categorised as ‘Critical’ or ‘High risk’ by the vendor must be installed within 14 days of release from the operating system or application vendor unless prevented by University IT Change Control (CAB – Change Advisory Board) procedures.  Where CAB procedures prevent the installation of ‘Critical’ or ‘High risk’ security patches within 14 days a temporary means of mitigation will be applied to reduce the risk. o Workstations  All desktops and laptops that are managed by Exeter IT must meet the Laptop and Workstation Build Policy minimum requirements in build and setup. Any exceptions shall be documented and reported to Exeter IT Head of IT Security and Compliance. o Servers  Servers must comply with the recommended minimum requirements that are specified by Exeter IT which includes the default operating system level, service packs, hotfixes and patching levels. Any exceptions shall be documented and reported to Exeter IT Head of Security and Compliance. Third Party Suppliers: Security patches must be up-to-date for IT systems which are being designed and delivered by third party suppliers prior to going operational. Third party suppliers much be prepared to provide evidence of up-to-date patching before IT systems are accepted into service and thus become operational. Once the IT systems are operational the following patching timescales apply:  Critical or High Risk vulnerabilities – 14 calendar days  Medium – 21 calendar days  Low – 28 calendar days
  • 6. Patch Management Policy v1 6 6. Roles and Responsibilities  Exeter IT. o Will manage the patching needs for the Windows, Apple Mac OS and Linux estate that is connected to the University of Exeter domain. o Responsible for routinely assessing compliance with the patching policy and will provide guidance to all the stakeholder groups in relation to issues of security and patch management.  Change Advisory Board. o Responsible for approving the monthly and emergency patch management deployment requests.  End User. o The end user has a responsibility to ensure that patches are installed and the machine is rebooted when required. Any problems must be reported to Exeter IT.  Third Party Suppliers o Will ensure security patches must be up-to-date for IT systems which are being designed and delivered by third party suppliers prior to going operational. o Once the IT systems are operational third party suppliers must ensure vulnerability patching is carried out as stipulated in Section 5 – Policy. Where this is not possible, this must be escalated to the Head of IT Security and Compliance. 7. Monitoring and Reporting Those with patching roles as detailed in section 6 above are required to compile and maintain reporting metrics that summarise the outcome of each patching cycle. These reports shall be used to evaluate the current patching levels of all systems and to assess the current level of risk. These reports shall be made available to Cyber Security Team and Internal Audit upon request. 8. Policy Review and Maintenance The Policy will be reviewed and updated, annually, or as needed, to ensure that the policy remains aligned with changes to relevant laws, contractually obligations and best practice. 9. For advice Please contact either the Head of IT Security and Compliance or the IT Operations and Security Manager. Queries can be emailed to information-security@exeter.ac.uk