This policy establishes a standard framework and procedures for the implementation of business as usual software patching.
This policy applies to all software, servers, desktops, laptop computers, mobile phones and IT appliances owned and operated by
Tech team, Information Security Manager (ISM), and (CTO) are responsible for execution of various procedures included in this document
4.1. Vulnerability assessment and patching will only be carried out by designated roles. These roles are:
4.1.1. Server Infrastructure Team – Assessment & Patching
4.1.2. Network Infrastructure Team – Assessment & Patching
4.1.3. IT Security Team - Assessment
4.2. All End User devices must be accurately listed in Internal Database whilst all Server, Network, and Appliance devices must be recorded in the Server Database.
4.3. Vulnerability scanning will have a minimum frequency of being run Quarterly. As the maturity of Organization Scanning develops, the frequency of scans will increase in line with that maturity. Vulnerability reports will be distributed to the system owners within 7 working days of the end of scanning. The IT Security Manager is responsible for the efficient and effective running of scans to time and for the distribution of reports. The IT Security Manager is also responsible for the development of Scanning Maturity.
4.4. Threat Analysis will be undertaken by the IT Security Team, working with System Owners and Service Owners. The IT Security Team has the responsibility for ensuring that threats are evaluated in a timely manner. Where necessary, due to risk or time, threats will be escalated to the Digital and Information Systems Senior Management Team for prioritization.
4.5. Threat Analysis (Discover and Assess) will determine whether the Patch or Vulnerability Mitigation is progressed to implementation. Priority is determined using the attached Priority Schedule(s).
4.6. Patches and Vulnerability Mitigation packages must be obtained from the relevant vendor or other trusted source. Each package must be authenticated, and its integrity verified using the method provided by the source. Credible sources will always provide an authentication method such as MD5Sum, Digital Signature, Encrypted Certificate, and finally, Internal Testing. No package must be deployed unless its authenticity has been established.
4.7. All devices must run the latest supported and patched versions of software prior to being released as a live service.
4.8. No RFC pertaining to patching or updates should be permitted to proceed without following the complete RFC process through to and including approval.
4.9. Manual patches and updates will be tested prior to implementation into any live (or representative) environment to avoid unacceptable side effects. Where this is not possible, the relevant authority to proceed must be obtained from the Service Owner. This authority must be included in any Request for Change (RFC) as one of:
b) Copy of email approval embedded in the RFC.
c) Free text approval included in the RFC.
4.9.1. What is the Request for Change process followed at ?
4.10. A back-out or recovery plan that allows safe restoration to the pre-patch state must be devised prior to any patch or update.
4.10.1 What is the recovery plan followed for safe restoration to the pre-patch state at ?
4.11. Patches will be applied according to the defined schedule and established patch windows or via Request for Change. Manual patching schedules are to be held and managed by the local teams responsible.
4.12. Team audits must be carried out to ensure that patches and updates have been applied as required or notified by vendors and are functioning as expected. Team audits must be led by the respective Team Manager and undertaken on at least a bi-annual basis. Outcomes of the audit must be reported to the IT Security Manager. Where it is identified that teams are unable to meet patching and update objectives, Team Managers should consult with the IT Security Manager for assistance with remedial actions.
4.13 What and how frequent is your team audit process ?
5.1. Exceptions shall not be universal but shall be agreed upon on a case-to-case basis, upon official request made by the information owner. These may arise, for example, because of local circumstances, conditions, or legal reasons existing at any point in time.
5.2. All exception requests shall be submitted to (CTO). These shall be submitted through an email and be approved by (CTO).
6.1. reserves all rights and is the exclusive owner of all intellectual property rights over this Policy document. This document shall not, either in part or in full, be reproduced, published, copied, displayed, distributed, transferred, or stored in any media (such as hard disks, USB Drives, Pen Drives, Memory Cards, CDs, DVDs), and/or captured or transmitted through by any means (such as electronic, digital, mechanical, photocopying, recordings, video and film or photographs and otherwise) by any person without prior consent from the ISM. This Policy and procedure document is made available with ISM and/or any other forum as decided by the management of . Anything not specifically stated in this Policy and procedure document shall not be considered as implied in any manner.
6.2. For any clarifications related to this Compliance Policy and procedure document with respect to its interpretation, applicability, and implementation, please write to the ISMS team at dpo@.com
7.1. This policy and procedure is applicable to all the employees of the company who have access to and use the information assets and IT assets as listed in the Information Asset register which has been created for
7.2. Anyone found to have violated this policy will be subject to a process that will determine if the violation is just a process non-compliance issue that requires addressing or also includes ethical violations In the event of only the former, non-compliance could be issued by an internal auditor which would require corrective/preventive actions.
7.3. In the event of the latter, the ethical/regulatory concern process will be invoked to decide whether an ethical/security violation has occurred and to decide on appropriate disciplinary actions as per the Disciplinary procedure of
Management’s interpretation of the clauses in this procedure shall be final and binding. Management reserves the right to alter or amend any clause in this document at any time as per its discretion.