Back

Establish, implement, and maintain a patch management program.


CONTROL ID
00896
CONTROL TYPE
Process or Activity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a change control program., CC ID: 00886

This Control has the following implementation support Control(s):
  • Document the sources of all software updates., CC ID: 13316
  • Implement patch management software, as necessary., CC ID: 12094
  • Include updates and exceptions to hardened images as a part of the patch management program., CC ID: 12087
  • Establish, implement, and maintain a patch management policy., CC ID: 16432
  • Establish, implement, and maintain patch management procedures., CC ID: 15224
  • Establish, implement, and maintain a patch log., CC ID: 01642
  • Perform a patch test prior to deploying a patch., CC ID: 00898
  • Prioritize deploying patches according to vulnerability risk metrics., CC ID: 06796
  • Deploy software patches in accordance with organizational standards., CC ID: 07032
  • Update computer firmware, as necessary., CC ID: 11755


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should establish a secure Internet infrastructure (including the design of the demilitarized zone and configuration of the relevant devices, as well as intrusion detection controls) to support their Internet banking system. Moreover, AIs should implement adequate security measures for the intern… (§ 5.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • for terminals allowing deposit of banknotes, careful assessment and selection of terminals should be performed having regard to, among other factors, their capability in detecting counterfeit banknotes and related test results. As vendors of these terminals would make available system updates from t… (§ 7.3.2(iii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should establish a secure Internet infrastructure (including the design of the demilitarized zone and configuration of the relevant devices, as well as intrusion detection controls) to support their Internet banking system. Moreover, AIs should implement adequate security measures for the intern… (§ 5.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • A licensed or registered person should monitor and evaluate security patches or hotfixes released by software provider(s) on a timely basis and, subject to an evaluation of the impact, conduct testing as soon as practicable and implement the security patches or hotfixes within one month following th… (2.4. ¶ 1, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • O56.3(5): For software installed in routers, servers, and other external connection devices, the organization shall collect information about security holes and other deficiencies and implement software upgrading and other corrective actions. It should apply, depending on the significance for busine… (O56.3(5), O105-1.2(8), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Patch Management (Critical components of information security 1) 2) q. xix., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • There should be documented standards / procedures for patch management. The standards / procedures for patch management should include a method of defining roles and responsibilities for patch management, determining the importance of systems (for e.g., based on the information handled, the business… (Critical components of information security 19) ii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A Patch Management process needs to be in place to address technical system and software vulnerabilities quickly and effectively in order to reduce the likelihood of a serious business impact arising. (Critical components of information security 19) i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Assessing the business impact of implementing patches (or not implementing a particular patch) (Critical components of information security 19) iii.c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Describing methods of deploying patches, for example, through automated manner (Critical components of information security 19) iii.e., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Ongoing support and maintenance controls would be needed to ensure that IT assets continue to meet business objectives. Major controls in this regard include change management controls to ensure that the business objectives continue to be met following change; configuration management controls to en… (Critical components of information security 6) (iii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The change management process should apply to changes pertaining to system and security configurations, patches for hardware devices and software updates. (§ 7.1.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should establish and ensure that the patch management procedures include the identification, categorisation and prioritisation of security patches. To implement security patches in a timely manner, the FI should establish the implementation timeframe for each category of security patches. (§ 9.5.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • A patch management process should be established to ensure applicable functional and non-functional patches (e.g. fixes for security vulnerabilities and software bugs) are implemented within a timeframe that is commensurate with the criticality of the patches and the FI's IT systems. (§ 7.4.1, Technology Risk Management Guidelines, January 2021)
  • Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users. (Security Control: 1144; Revision: 9, Australian Government Information Security Manual, March 2021)
  • Security vulnerabilities in operating systems and firmware assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users. (Security Control: 1496; Revision: 0, Australian Government Information Security Manual, March 2021)
  • High assurance ICT equipment is only patched with patches approved by the ACSC using methods and timeframes prescribed by the ACSC. (Security Control: 0300; Revision: 6, Australian Government Information Security Manual, March 2021)
  • Security vulnerabilities in applications and drivers assessed as moderate or low risk are patched, updated or mitigated within one month of the security vulnerability being identified by vendors, independent third parties, system managers or users. (Security Control: 1472; Revision: 1, Australian Government Information Security Manual, March 2021)
  • An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place. (Security Control: 1500; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Security vulnerabilities in operating systems and firmware assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users. (Security Control: 1495; Revision: 0, Australian Government Information Security Manual, March 2021)
  • A patch management process, and supporting patch management procedures, is developed and implemented. (Security Control: 1143; Revision: 7, Australian Government Information Security Manual, March 2021)
  • Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users. (Security Control: 1494; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Security vulnerabilities in applications and drivers assessed as high risk are patched, updated or mitigated within two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users. (Security Control: 0940; Revision: 8, Australian Government Information Security Manual, March 2021)
  • An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place. (Security Control: 1497; Revision: 0, Australian Government Information Security Manual, March 2021)
  • A centralised and managed approach is used to patch or update applications and drivers. (Security Control: 0298; Revision: 7, Australian Government Information Security Manual, March 2021)
  • An approach for patching or updating operating systems and firmware that ensures the integrity and authenticity of patches or updates, as well as the processes used to apply them, is used. (Security Control: 1499; Revision: 0, Australian Government Information Security Manual, March 2021)
  • A centralised and managed approach that maintains the integrity of patches or updates, and confirms that they have been applied successfully, is used to patch or update applications, operating systems, drivers and firmware. (Control: ISM-0298; Revision: 8, Australian Government Information Security Manual, June 2023)
  • A centralised and managed approach that maintains the integrity of patches or updates, and confirms that they have been applied successfully, is used to patch or update applications, operating systems, drivers and firmware. (Control: ISM-0298; Revision: 8, Australian Government Information Security Manual, September 2023)
  • The organization must establish and maintain a patch management strategy that covers the patching or upgrading of Operating Systems and applications. (Control: 1143, Australian Government Information Security Manual: Controls)
  • The organization should ensure security patches, driver updates, firmware updates, and application installations are applied through centralized patch management and application management. (Control: 0298, Australian Government Information Security Manual: Controls)
  • The organization must not patch high assurance products or High Grade Cryptographic Equipment absent the approval of the Defence Signals Directorate. (Control: 0300, Australian Government Information Security Manual: Controls)
  • The organization should implement controls that resolve known vulnerabilities that cannot be patched or a security patch is not available by asking the vendor for an alternate method to manage the vulnerability; disable the functionality that is associated with the vulnerability through product conf… (Control: 0941 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization should implement controls to prevent the exploitation of known vulnerabilities that cannot be patched or a security patch is not available by applying external input sanitization, if input triggers the exploit; applying access controls to prevent Access to the vulnerability; applyin… (Control: 0941 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization should implement controls to contain the exploit of known vulnerabilities that cannot be patched or a security patch is not available by applying Mandatory Access Control to prevent the exploitable code from being executed; applying firewall rules that limit outbound traffic; or set… (Control: 0941 Bullet 3, Australian Government Information Security Manual: Controls)
  • The organization should implement controls to detect intrusions due to known vulnerabilities that cannot be patched or a security patch is not available by implementing an Intrusion Detection System; monitoring logging alerts; or using other methods to detect exploits using the known vulnerabilities… (Control: 0941 Bullet 4, Australian Government Information Security Manual: Controls)
  • The organization should implement patch management controls for managing and assessing patches in a timely way. (¶ 54(d), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • patch management controls to manage the assessment and application of patches to software that address known vulnerabilities in a timely manner; (¶ 54(d), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The documented change management procedures should be used when applying patches and updates to the system. (§ 3.5.14, Australian Government ICT Security Manual (ACSI 33))
  • Financial institutions should establish and implement processes and organisation structures to identify and constantly monitor security threats that could materially affect their abilities to provide services. Financial institutions should actively monitor technological developments to ensure that t… (3.4.5 39, Final Report EBA Guidelines on ICT and security risk management)
  • An adequate patch management is defined and implemented (e.g. patch testing and installation). (5.2.5 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • Are laptops updated with critical patches? (Table Row II.23, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • If laptops are updated with critical patches and virus definitions, are they updated by manual means or by Short Message Service push? (Table Row II.23, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • When applying a patch to any system vulnerability, does the organization have a process for verifying the integrity, and testing the proper functioning of the patch? (Table Row III.6, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • If the incident resulted from an unpatched vulnerability, is the patch acquired, tested, and installed in a timely way? (Table Row XII.10, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • On machines that are authorized Domain Name Server servers, have they been updated to the latest version and patch level? (App Table Active Content Filtering Row 2.b, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security AIX Benchmark, 1.0.1)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security FreeBSD Benchmark, 1.0.5)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security HP-UX Benchmark, 1.4.2)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.0.5)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.1.1)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security Slackware Linux Benchmark, 1.1)
  • The latest OS patches are called for. (§ 1.1, The Center for Internet Security Solaris 10 Benchmark, 2.1.2)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security Solaris Benchmark, 1.5.0)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security SuSE Linux Enterprise Server Benchmark, 2)
  • Develop a strategy and plan for infrastructure maintenance, and ensure that changes are controlled in line with the organisation's change management procedure. Include periodic reviews against business needs, patch management, upgrade strategies, risks, vulnerabilities assessment and security requir… (AI3.3 Infrastructure Maintenance, CobiT, Version 4.1)
  • If there is a new firmware release, install it in the router. Keep firewalls up to date, and install available patches regularly. Keep the OS up-to-date and patched regularly. Keep RDBMS up-to-date, and patch regularly. Keep Web servers up-to-date, also patch, and scan regularly. Keep the applicatio… (§ 3-3, § 3-4, § 3-8, § 3-10, § 3-13, § 3-15, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
  • How are VM images (including inactive and replicated VMs) ensured to have up-to-date anti-malware and patches before they are enabled for use? (Appendix D, Maintain a Vulnerability Management Program Bullet 2, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • How are patches managed (e.g., prioritized, tested, approved, and deployed), for both underlying CSP systems and provisioned client environments? (Appendix D, Maintain a Vulnerability Management Program Bullet 3, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Examine the policies and procedures to verify that change control procedures for implementing software modifications and security patches are documented. (Testing Procedures § 6.4 Bullet 5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Develop and maintain secure systems and applications. (§ 6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Change control procedures for the implementation of security patches and software modifications. (§ 6.4.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Develop and maintain secure systems and applications. (PCI DSS Requirements § 6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Are change-control procedures for implementing security patches and software modifications documented and require the following? - Documentation of impact - Documented change control approval by authorized parties - Functionality testing to verify that the change does not adversely impact the securi… (6.4.5 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Procedures should be in place by software vendors for the development and deployment of security patches and upgrades in a timely manner. All patches and upgrades should be delivered securely using a known chain-of-trust and a method that maintains the integrity of the patches/upgrades. Measures sho… (§ 7.2, § 8.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches? (PCI DSS Question 6.2(a), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches? (PCI DSS Question 6.2(a), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches? (PCI DSS Question 6.2(a), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches? (PCI DSS Question 6.2(a), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches? (PCI DSS Question 6.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches? (PCI DSS Question 6.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • A key technical control that should be included in a well-managed IT environment is the change management process, including patch management. This control ensures all changes and patches to systems, software, data, and network components have been implemented. (§ 5.3.5 ¶ 4, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Patches should be treated as a category of change and should be subject to the normal change management process. Patch deployment should be, ideally, in pre-production processes, so they can be adequately tested and should be deployed as part of a scheduled software release. (§ 3.1 ¶ 4, § 4.5 ¶ 1, IIA Global Technology Audit Guide (GTAG) 2:Change and Patch Management Controls: Critical for Organizational Success)
  • The deployment of patches should be accomplished with the use of automated patching solutions. (§ 3.4 (Achieving Efficiency Through Automation), IIA Global Technology Audit Guide (GTAG) 6: Managing and Auditing IT Vulnerabilities)
  • There should be documented standards / procedures for patch management which specify the requirement to patch a range of business applications, Information Systems, and network devices. (CF.10.01.01a, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for patch management which specify the organization's approach to patching (e.g., what is to be patched). (CF.10.01.01b, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for patch management which specify the testing requirements (e.g., provision of a test environment). (CF.10.01.01c, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for patch management which specify the methods of patch distribution (e.g., automated deployment). (CF.10.01.01d, The Standard of Good Practice for Information Security)
  • A patch management process should be established to govern the application of patches to business applications (e.g., on servers, mobile devices and consumer devices). (CF.10.01.02a-1, The Standard of Good Practice for Information Security)
  • A patch management process should be established to govern the application of patches to Operating System software (e.g., on servers, mobile devices, and consumer devices). (CF.10.01.02a-2, The Standard of Good Practice for Information Security)
  • A patch management process should be established to govern the application of patches to firmware (e.g., on servers, mobile devices, and consumer devices). (CF.10.01.02a-3, The Standard of Good Practice for Information Security)
  • A patch management process should be established to govern the application of patches to computer equipment (including servers, mobile devices, laptops, and netbooks). (CF.10.01.02b, The Standard of Good Practice for Information Security)
  • A patch management process should be established to govern the application of patches to consumer devices (including tablets and smartphones). (CF.10.01.02c, The Standard of Good Practice for Information Security)
  • A patch management process should be established to govern the application of patches to virtual systems (e.g., virtual servers and virtual desktops). (CF.10.01.02d, The Standard of Good Practice for Information Security)
  • A patch management process should be established to govern the application of patches to network storage systems (including Storage Area Network (san) and network-attached storage (nas)). (CF.10.01.02e, The Standard of Good Practice for Information Security)
  • A patch management process should be established to govern the application of patches to network equipment (e.g., routers, switches, Wireless Access Points, and firewalls). (CF.10.01.02f, The Standard of Good Practice for Information Security)
  • A patch management process should be established to govern the application of patches to Voice over Internet Protocol telephony software and conferencing equipment. (CF.10.01.02g, The Standard of Good Practice for Information Security)
  • A patch management process should be established to govern the application of patches to office equipment (e.g., network printers and multifunction devices). (CF.10.01.02h, The Standard of Good Practice for Information Security)
  • A patch management process should be established to govern the application of patches to specialist equipment (e.g., Information Systems that support or enable the organisation's critical infrastructure, such as Supervisory Control and Data Acquisition systems, process control personal computers, an… (CF.10.01.02i, The Standard of Good Practice for Information Security)
  • A method should be established for determining the importance of Information Systems (e.g., based on the information handled, the business processes supported, and the environments in which they are used) to help identify the extent of patching, timescales for deploying patches, and the order in whi… (CF.10.01.03b, The Standard of Good Practice for Information Security)
  • The patch management process should be applied on a continuous basis (at least daily). (CF.10.01.04d, The Standard of Good Practice for Information Security)
  • The patch management process should help relevant managers to determine whether software code that can exploit a new vulnerability (often referred to as a 'zero day exploit') is publicly available, either as a 'proof of concept' or as actual malicious code. (CF.10.01.05b, The Standard of Good Practice for Information Security)
  • The patch management process should help relevant managers to identify and obtain patches when they are available to address discovered vulnerabilities (e.g., by tracking Computer Emergency Response Team alerts, vendor websites, and mailing lists). (CF.10.01.05c, The Standard of Good Practice for Information Security)
  • The patch management process should help relevant managers to decide when to deploy patches (e.g., by assessing potential post-deployment impact to the organization, determining the criticality of patches (using the Common Vulnerability Scoring System (cvss) or equivalent) and analyzing the results … (CF.10.01.05d, The Standard of Good Practice for Information Security)
  • The patch management process should assess the business impact of implementing patches (or not implementing a particular patch). (CF.10.01.06b, The Standard of Good Practice for Information Security)
  • The patch management process should provide methods of deploying patches to systems that are not connected to the network (e.g., standalone computers). (CF.10.01.06e-1, The Standard of Good Practice for Information Security)
  • The patch management process should provide methods of deploying patches to devices that connect to the network infrequently (e.g., traveling staff). (CF.10.01.06e-2, The Standard of Good Practice for Information Security)
  • The patch management process should include methods of dealing with the failed deployment of a patch (e.g., redeployment of the patch). (CF.10.01.06g, The Standard of Good Practice for Information Security)
  • Methods should be established to protect information, business applications, and technical infrastructure if no patch is available for an identified vulnerability (e.g., by disabling services, adding additional access controls, and performing detailed monitoring). (CF.10.01.07, The Standard of Good Practice for Information Security)
  • Network devices should be subject to standard security management practices, which includes keeping network devices up-to-date (e.g., by applying Change Management and patch management). (CF.09.01.03d, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers vulnerability and patch management. (CF.09.01.01e, The Standard of Good Practice for Information Security)
  • There should be a Process for dealing with vulnerabilities in network devices, which includes testing patches for network devices and applying them in a timely manner. (CF.09.01.06d, The Standard of Good Practice for Information Security)
  • The patch management process should describe methods of deploying patches in a timely way (e.g., grouping multiple patches and using software distribution tools). (CF.10.01.06d, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for patch management which specify the requirement to patch a range of business applications, Information Systems, and network devices. (CF.10.01.01a, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for patch management which specify the organization's approach to patching (e.g., what is to be patched). (CF.10.01.01d, The Standard of Good Practice for Information Security, 2013)
  • A patch management process should be established to govern the application of patches to computer equipment (including servers, mobile devices, laptops, and netbooks). (CF.10.01.02b, The Standard of Good Practice for Information Security, 2013)
  • A patch management process should be established to govern the application of patches to consumer devices (including tablets and smartphones). (CF.10.01.02c, The Standard of Good Practice for Information Security, 2013)
  • A patch management process should be established to govern the application of patches to virtual systems (e.g., virtual servers and virtual desktops). (CF.10.01.02d, The Standard of Good Practice for Information Security, 2013)
  • A patch management process should be established to govern the application of patches to network storage systems (including Storage Area Network (san) and network-attached storage (nas)). (CF.10.01.02e, The Standard of Good Practice for Information Security, 2013)
  • A patch management process should be established to govern the application of patches to network equipment (e.g., routers, switches, Wireless Access Points, and firewalls). (CF.10.01.02f, The Standard of Good Practice for Information Security, 2013)
  • A patch management process should be established to govern the application of patches to Voice over Internet Protocol telephony software and conferencing equipment. (CF.10.01.02g, The Standard of Good Practice for Information Security, 2013)
  • A patch management process should be established to govern the application of patches to office equipment (e.g., network printers and multifunction devices). (CF.10.01.02h, The Standard of Good Practice for Information Security, 2013)
  • A patch management process should be established to govern the application of patches to specialist equipment (e.g., Information Systems that support or enable the organisation's critical infrastructure, such as Supervisory Control and Data Acquisition systems, process control personal computers, an… (CF.10.01.02i, The Standard of Good Practice for Information Security, 2013)
  • The patch management process should help relevant managers to identify and obtain patches when they are available to address discovered vulnerabilities (e.g., by tracking Computer Emergency Response Team alerts, vendor websites, and mailing lists). (CF.10.01.04d, The Standard of Good Practice for Information Security, 2013)
  • Network devices should be subject to standard security management practices, which includes keeping network devices up-to-date (e.g., by applying Change Management and patch management). (CF.09.01.03d, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers vulnerability and patch management. (CF.09.01.01e, The Standard of Good Practice for Information Security, 2013)
  • There should be a Process for dealing with vulnerabilities in network devices, which includes testing patches for network devices and applying them in a timely manner. (CF.09.01.06d, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for patch management which specify the methods of patch distribution (e.g., automated deployment). (CF.10.01.01e, The Standard of Good Practice for Information Security, 2013)
  • A patch management process should be established to govern the application of patches to business applications (e.g., on servers, mobile devices and consumer devices). (CF.10.01.02a, The Standard of Good Practice for Information Security, 2013)
  • The patch management process should be applied on a continuous basis (at least daily). (CF.10.01.03e, The Standard of Good Practice for Information Security, 2013)
  • The patch management process should help relevant managers to decide when to deploy patches (e.g., by assessing potential post-deployment impact to the organization, determining the criticality of patches (using the Common Vulnerability Scoring System (cvss) or equivalent) and analyzing the results … (CF.10.01.04e, The Standard of Good Practice for Information Security, 2013)
  • The patch management process should assess the business impact of implementing patches (or not implementing a particular patch). (CF.10.01.08b, The Standard of Good Practice for Information Security, 2013)
  • The patch management process should provide methods of deploying patches to systems that are not connected to the network (e.g., standalone computers). (CF.10.01.08e, The Standard of Good Practice for Information Security, 2013)
  • The patch management process should include methods of dealing with the failed deployment of a patch (e.g., redeployment of the patch). (CF.10.01.08g, The Standard of Good Practice for Information Security, 2013)
  • Methods should be established to protect information, business applications, and technical infrastructure if no patch is available for an identified vulnerability (e.g., by disabling services, adding additional access controls, and performing detailed monitoring). (CF.10.01.09, The Standard of Good Practice for Information Security, 2013)
  • The patch management process should describe methods of deploying patches in a timely way (e.g., grouping multiple patches and using software distribution tools). (CF.10.01.08d, The Standard of Good Practice for Information Security, 2013)
  • The patch management process should help relevant managers to determine whether software code that can exploit a new vulnerability (often referred to as a 'zero day exploit') is publicly available, either as a 'proof of concept' or as actual malicious code. (CF.10.01.04c, The Standard of Good Practice for Information Security, 2013)
  • Without a concerted, repeatable application security configuration process, systems are at a higher risk. (A05:2021 ? Security Misconfiguration, OWASP Top 10 - 2021)
  • Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating syste… (A6:2017-Security Misconfiguration, OWASP Top 10, 2017)
  • All systems should be kept current by ensuring the latest vendor security patches have been installed. (Action 1.1.1 ¶ 1, SANS Computer Security Incident Handling, Version 2.3.1)
  • Establish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability, and segmented by appropriate groups of assets (example, DMZ servers, internal network servers, desktops, laptops). Apply patches for the riskiest vulnerabilities first. A phased ro… (Control 4.8, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should verify that all the latest software has been fully patched. (Critical Control 3.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Policies and procedures shall be established and mechanism implemented for vulnerability and patch management, ensuring that application, system, and network device vulnerabilities are evaluated and vendor-supplied security patches applied in a timely way taking a risk-based approach for prioritizin… (IS-20, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Technical vulnerabilities to systems and software are released in bulletins. Once the organization receives a bulletin, it should take action. An effective management process establishes roles and responsibilities; identifies relevant sources for technical vulnerabilities; defines a timeline; identi… (§ 12.6.1, ISO 27002 Code of practice for information security management, 2005)
  • A process is in place to identify, evaluate, test, approve, and implement patches in a timely manner on infrastructure and software. (CC8.1 ¶ 3 Bullet 14 Manages Patch Changes, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization ensures that a process exists and is implemented to identify patches to technology assets, evaluate patch criticality and risk, and test and apply the patch within an appropriate time frame. (PR.IP-12.4, CRI Profile, v1.2)
  • Identify, report, and correct information and information system flaws in a timely manner. (§ 52.204-21(b)(1)(xii), Federal Acquisition Regulation 52.204-21 Basic Safeguarding of Covered Contractor Information Systems)
  • The organization ensures that a process exists and is implemented to identify patches to technology assets, evaluate patch criticality and risk, and test and apply the patch within an appropriate time frame. (PR.IP-12.4, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. (SI-2(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization centrally manages the flaw remediation process. (SI-2(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. (SI-2(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The security program, in relation to protecting personal information, should include procedures for patching System Software. (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization must implement and monitor the status of software patch management controls. (PE 15.h, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • Software Vulnerability Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the risk of vulnerabilities posed by unpatched software on the Transient Cyber Asset (per Transient Cyber Asset capability): (Attachment 1 Section 1. 1.3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • Software Vulnerabilities Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the risk of vulnerabilities posed by unpatched software on the Transient Cyber Asset (per Transient Cyber Asset capability): (Attachment 1 Section 2. 2.1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • Software Vulnerabilities Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the risk of vulnerabilities posed by unpatched software on the Transient Cyber Asset (per Transient Cyber Asset capability): - Review of installed security patch(es); - Revie… (Section 2. 2.1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Software Vulnerability Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the risk of vulnerabilities posed by unpatched software on the Transient Cyber Asset (per Transient Cyber Asset capability): - Security patching, including manual or managed up… (Section 1. 1.3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Software Vulnerabilities Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the risk of vulnerabilities posed by unpatched software on the Transient Cyber Asset (per Transient Cyber Asset capability): (Attachment 1 Section 2. 2.1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Software Vulnerability Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the risk of vulnerabilities posed by unpatched software on the Transient Cyber Asset (per Transient Cyber Asset capability): (Attachment 1 Section 1. 1.3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Asset… (CIP-007-6 Table R2 Part 2.1 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - System Security Management CIP-007-6, Version 6)
  • On windows systems that transmit scoped data, are current patches applied? (§ G.17.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that process scoped data, are current patches applied? (§ G.17.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that store scoped data, are current patches applied? (§ G.17.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are systems and applications patched? (§ I.3, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Does the process of patching systems and applications include priority patching of high-risk systems first? (§ I.3.4, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • For cloud computing services, does the client deploy system and application patches to the base image? (§ V.1.50.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, are systems and applications patched? (§ V.1.50, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the cloud computing provider deploy the system and application patches to the live server? (§ V.1.50.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, does the client deploy system and application patches to the live server? (§ V.1.50.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the cloud computing provider deploy system patches and application patches to the base image? (§ V.1.50.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the cloud computing provider or the client use a different deployment method to Patch systems and applications? (§ V.1.50.5, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are current patches installed? (§ V.1.72.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Table F-1: For Windows 2000 Server, the organization must implement all critical operating system security patches. Table F-2: For Windows 2003 Server, the organization must implement all critical operating system security patches. Table F-3: For Windows 2000 Professional, the organization must impl… (Table F-1, Table F-2, Table F-3, Table F-4, Table F-6, Table F-7, Table F-8, Table F-9, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 1.9.4(3): The organization must document the software/hardware installation and maintenance, including review and testing of security features and patch management. CSR 1.13.9(3): The organization must scan the information system for critical software updates and patches before portable or mobil… (CSR 1.9.4(3), CSR 1.13.9(3), CSR 6.3.15, CSR 6.3.16, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Apply latest firmware release to the MFD. (MFD02.004, Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3)
  • Identify, report, and correct information and information system flaws in a timely manner. (SI.1.210, Cybersecurity Maturity Model Certification, Version 1.0, Level 1)
  • Identify, report, and correct information and information system flaws in a timely manner. (SI.1.210, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Identify, report, and correct information and information system flaws in a timely manner. (SI.1.210, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Identify, report, and correct information and information system flaws in a timely manner. (SI.1.210, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Identify, report, and correct information and information system flaws in a timely manner. (SI.1.210, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Identify, report, and correct information and information system flaws in a timely manner. (SI.L1-3.14.1 Flaw Remediation, Cybersecurity Maturity Model Certification, Version 2.0, Level 1)
  • Identify, report, and correct information and information system flaws in a timely manner. (SI.L1-3.14.1 Flaw Remediation, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Periodic security updates shall be implemented. The covered entity shall assess this to determine if it is a reasonable and appropriate safeguard in the environment and, if it is reasonable and appropriate, then implement it, or document why it is not reasonable and appropriate and implement an equi… (§ 164.308(a)(5)(ii)(A), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • The agency shall identify the services, applications, and Information Systems that contain the software or hardware being affected by recently announced software flaws and the potential vulnerabilities. (§ 5.10.4.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The local patch management policies should include centralized patch management. (§ 5.10.4.1 ¶ 2(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Timely application of system patches—part of configuration management (§ 5.2.1.4 ¶ 1(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency (or the software developer/vendor in the case of software developed and maintained by a vendor/contractor) shall develop and implement a local policy that ensures prompt installation of newly released security relevant patches, service packs and hot fixes. Local policies should include su… (§ 5.10.4.1 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Centralized patch management. (§ 5.10.4.1 ¶ 2(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Centralized patch management. (§ 5.10.4.1 ¶ 2 4., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • A patch management program is implemented and ensures that software and firmware patches are applied in a timely manner. (Domain 3: Assessment Factor: Corrective Controls, PATCH MANAGEMENT Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Patch management reports are reviewed and reflect missing security patches. (Domain 3: Assessment Factor: Corrective Controls, PATCH MANAGEMENT Baseline 1 ¶ 3, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Effective vulnerability and patch management processes. (VI.B Action Summary ¶ 2 Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implements and adheres to patch management processes. (App A Objective 3:7k, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • With internally developed software, evaluate whether management is responsible for maintaining the software, and entity personnel have the resources and expertise to stay abreast of vulnerabilities and develop software updates and patches. (App A Objective 13:5a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implementing version and patch control guidelines for open source software in use. (App A Objective 13:6g Bullet 2 Sub-Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Performs timely patch management. (App A Objective 13:6h Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Securely configured and patched remote access servers. (App A Objective 9:1c Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management implements a patch management program that includes documentation of any patch installations. The patch management program includes the following: (App A Objective 15:3b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determined whether custom software was designed to integrate with the existing enterprise software, hardware, and data, and whether management considered issues related to obsolescence, patching, and availability of expertise. (App A Objective 13:5b Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • An effective monitoring process that identifies the availability of software patches. (App A Objective 6.15.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Tracking changes made to the systems and applications, availability of updates, and the planned end of support by the vendor. (App A Objective 6.16.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management has a process to update and patch operating systems, network devices, and software applications, including internally developed software provided to customers, for newly discovered vulnerabilities. Review whether patch management processes include the following: (App A Objective 6.15, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Allow administrators to review and install patches for applications in a timely manner. (App A Objective 6.27.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should have a process to introduce changes to the environment in a controlled manner. Changes to the IT environment include the following: - Configuration management of IT systems and applications. - Hardening of systems and applications. - Use of standard builds. - Patch management. (II.C.10 Change Management Within the IT Environment, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The organization should have a patch management program in place to evaluate, approve, test, install, and document all software modifications. The organization should have procedures to identify patches and acquire them from trusted sources. (Pg 32, Pg 55, Exam Obj 11.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • Newly discovered vulnerabilities should be mitigated as soon as possible by either reconfiguring the device or implementing a patch. (Pg 28, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should develop procedures to ensure patches are up to date, installed when appropriate, and tested prior to implementation. (Pg 26, Exam Tier I Obj 5.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization employs automated mechanisms [FedRAMP Assignment: at least monthly] to determine the state of information system components with regard to flaw remediation. (SI-2(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization centrally manages the flaw remediation process. (SI-2(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization employs automated mechanisms [FedRAMP Assignment: at least monthly] to determine the state of information system components with regard to flaw remediation. (SI-2(2) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Incorporate flaw remediation into the organizational configuration management process. (SI-2d., FedRAMP Security Controls High Baseline, Version 5)
  • Incorporate flaw remediation into the organizational configuration management process. (SI-2d., FedRAMP Security Controls Low Baseline, Version 5)
  • Incorporate flaw remediation into the organizational configuration management process. (SI-2d., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Does the Credit Union Information Technology policy include the frequency for system patches and updates? (IT - Policy Checklist Q 13, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does documentation of patch management exist? (IT - Servers Q 7, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are there procedures and documentation to verify the latest virus software patch has been installed? (IT - Servers Q 23, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union have a formal process to identify, test, and apply Wireless Local Area Network and Wireless Wide Area Network patches, updates, and Service Packs? (IT - WLANS Q 27, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The organization should implement a patch management program to help the system administrators identify, acquire, test, and deploy patches. A large percentage of incidents involve exploiting a small number of system and application vulnerabilities. (§ 3.1.2 ¶ 3, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Incorporate flaw remediation into the organizational configuration management process. (SI-2d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Incorporate flaw remediation into the organizational configuration management process. (SI-2d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Incorporate flaw remediation into the organizational configuration management process. (SI-2d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Incorporate flaw remediation into the organizational configuration management process. (SI-2d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Incorporate flaw remediation into the organizational configuration management process. (SI-2d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Incorporate flaw remediation into the organizational configuration management process. (SI-2d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Incorporate flaw remediation into the organizational configuration management process. (SI-2d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, [Selection (one or more): remove the components; place the components in a quarantine or remediation network] to facilitate patching, re-configuration, or other mitigations. (3.4.2e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • System and Information Integrity (SI): Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; and (iii) monitor information syst… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure security patches, service packs, and hot fixes are installed within a predefined time period; patches, service packs, and hot fixes are tested for effectiveness and side effects prior to implementation; logs are maintained of all chan… (SI-2, SI-2(1), SI-2(2), SI-2.7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Bluetooth products used by the organization should support the updating and patching of Bluetooth firmware to ensure the latest security fixes and enhancements can be installed. (Table 4-2 Item 3, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
  • Organizations should offer flexibility with how soon routine patches are to be installed, while also forcing installation after a grace period has ended. A routine patch does not necessitate immediate installation, but at some point, patches must be installed to reduce the risk for the entire enviro… (3.5.1 ¶ 3, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • Organizations should plan on periodically reevaluating their alternatives to patching. There are two main aspects to this. One is conducting a risk assessment to see if the alternatives to patching are still sufficiently effective at mitigating risk. The other is conducting a cost-benefit analysis t… (3.5.4 ¶ 3, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • Organizations should plan to replace emergency mitigations with permanent fixes. Once a permanent fix, such as a patch, is available, the patch will need to be deployed and the mitigation removed. Schedules should be set and enforced for both patch deployment and mitigation removal. (3.5.3 ¶ 2, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. (SI-2(2) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization centrally manages the flaw remediation process. (SI-2(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. (SI-2(2) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Applying patches to OS components creates another situation where significant care should be exercised in the ICS environment. Patches should be adequately tested (e.g., off-line on a comparable ICS) to determine the acceptability of side effects. Regression testing is advised. It is not uncommon fo… (§ 6.2.17.3 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Once the decision is made to deploy a patch, there are other tools that automate this process from a centralized server and with confirmation that the patch has been deployed correctly. Consider separating the automated process for ICS patch management from the automated process for non-ICS applicat… (§ 6.2.17.3 ICS-specific Recommendations and Guidance ¶ 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Computers and computerized devices used for ICS functions (such as PLC programming) should never be allowed to leave the ICS area. Laptops, portable engineering workstations and handhelds (e.g., 375 HART communicator) should be tightly secured and should never be allowed to be used outside the ICS n… (§ 6.2.11.2 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Network administrators should monitor vendors' websites for any patches or updates and install them in accordance with the organization's policy. Additionally, use available vendor "security alert" email lists to be advised of new vulnerabilities and attacks. (§ 6.3.5, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
  • Integrate automated capabilities for updating or patching system software where practical and develop processes and procedures for manual updating and patching of system software based on current and projected patch timeline requirements for the operational environment of the system. (T0128, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should use automated patch management tools for flaw remediation. (SG.SI-2 Additional Considerations A3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Identify, report, and correct information and information system flaws in a timely manner. (3.14.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Identify, report, and correct system flaws in a timely manner. (3.14.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Identify, report, and correct system flaws in a timely manner. (3.14.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization should schedule automated mechanisms to evaluate system components for flaw remediation status. (App F § SI-2(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use automated patch management tools to help with flaw remediation. (App F § SI-2(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use nonautomated mechanisms or procedures as compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot centrally manage flaw remediation and automatic updates. (App I § SI-2 Control Enhancement: (1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use nonautomated mechanisms or procedures as compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot support automated mechanisms to conduct and report on flaw remediation status. (App I § SI-2 Control Enhancement: (2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Integrate automated capabilities for updating or patching system software where practical and develop processes and procedures for manual updating and patching of system software based on current and projected patch timeline requirements for the operational environment of the system. (T0128, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization identifies, reports, and corrects information system flaws. (SI-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization incorporates flaw remediation into the organizational configuration management process. (SI-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization centrally manages the flaw remediation process. (SI-2(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms {organizationally documented frequency} to determine the state of information system components with regard to flaw remediation. (SI-2(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization identifies, reports, and corrects information system flaws. (SI-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization incorporates flaw remediation into the organizational configuration management process. (SI-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization centrally manages the flaw remediation process. (SI-2(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms {organizationally documented frequency} to determine the state of information system components with regard to flaw remediation. (SI-2(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization identifies, reports, and corrects information system flaws. (SI-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization incorporates flaw remediation into the organizational configuration management process. (SI-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization identifies, reports, and corrects information system flaws. (SI-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization incorporates flaw remediation into the organizational configuration management process. (SI-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms {organizationally documented frequency} to determine the state of information system components with regard to flaw remediation. (SI-2(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization centrally manages the flaw remediation process. (SI-2(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. (SI-2(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. (SI-2(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization centrally manages the flaw remediation process. (SI-2(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. (SI-2(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Incorporate flaw remediation into the organizational configuration management process. (SI-2d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Incorporate flaw remediation into the organizational configuration management process. (SI-2d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Establish and document policies and procedures for assessing and maintaining configuration information, for tracking changes made to the pipeline cyber assets, and for patching/upgrading operating systems and applications. Ensure that the changes do not adversely impact existing cybersecurity contro… (Table 2: Asset Management Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d., TX-RAMP Security Controls Baseline Level 1)
  • Incorporates flaw remediation into the organizational configuration management process. (SI-2d., TX-RAMP Security Controls Baseline Level 2)
  • The organization employs automated mechanisms [TX-RAMP Assignment: at least monthly] to determine the state of information system components with regard to flaw remediation. (SI-2(2) ¶ 1, TX-RAMP Security Controls Baseline Level 2)