Back

Use the latest approved version of all software.


CONTROL ID
00897
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Install the most current Windows Service Pack., CC ID: 01695
  • Install critical security updates and important security updates in a timely manner., CC ID: 01696


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • For software installed in routers, servers, and other external connection devices, the organization shall collect information about security holes and other deficiencies and implement software upgrading and other corrective actions. It should apply, depending on the significance for business operati… (O56.3(5), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The FI should actively manage its IT systems and software so that outdated and unsupported systems which significantly increase its exposure to security risks are replaced on a timely basis. The FI should pay close attention to the product’s end-of-support (“EOS”) date as it is common for vend… (§ 9.2.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should avoid using outdated and unsupported hardware or software, which could increase its exposure to security and stability risks. The FI should closely monitor the hardware's or software's end-of-support (EOS) dates as service providers would typically cease the provision of patches, inclu… (§ 7.3.1, Technology Risk Management Guidelines, January 2021)
  • Only the latest version of TLS is used. (Security Control: 1139; Revision: 5, Australian Government Information Security Manual, March 2021)
  • The latest version (N), or N-1 version, of an operating system is used for SOEs. (Security Control: 1407; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Versions of S/MIME earlier than 3.0 are not used. (Security Control: 0490; Revision: 3, Australian Government Information Security Manual, March 2021)
  • The latest releases of key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms are used when present within SOEs. (Security Control: 1467; Revision: 1, Australian Government Information Security Manual, March 2021)
  • The latest releases of web server software, server applications that store important data, and other internet-accessible server applications are used when present within SOEs. (Security Control: 1483; Revision: 0, Australian Government Information Security Manual, March 2021)
  • If supported, the latest version of Microsoft's EMET is implemented on workstations and servers and configured with both operating system mitigation measures and application-specific mitigation measures. (Security Control: 1414; Revision: 1, Australian Government Information Security Manual, March 2021)
  • The latest release, or the previous release, of operating systems are used. (Control: ISM-1407; Revision: 5, Australian Government Information Security Manual, June 2023)
  • The latest release of office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are used. (Control: ISM-1467; Revision: 3, Australian Government Information Security Manual, June 2023)
  • The latest release of internet-facing server applications are used. (Control: ISM-1483; Revision: 2, Australian Government Information Security Manual, June 2023)
  • Versions of S/MIME earlier than S/MIME version 3.0 are not used for S/MIME connections. (Control: ISM-0490; Revision: 4, Australian Government Information Security Manual, June 2023)
  • The latest release, or the previous release, of operating systems are used. (Control: ISM-1407; Revision: 5, Australian Government Information Security Manual, September 2023)
  • The latest release of office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are used. (Control: ISM-1467; Revision: 3, Australian Government Information Security Manual, September 2023)
  • The latest release of internet-facing server applications are used. (Control: ISM-1483; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Versions of S/MIME earlier than S/MIME version 3.0 are not used for S/MIME connections. (Control: ISM-0490; Revision: 4, Australian Government Information Security Manual, September 2023)
  • The organization must use Bluetooth version 2.1 or later for Bluetooth keyboards. (Control: 1166, Australian Government Information Security Manual: Controls)
  • The organization must install the latest version of Operating Systems and applications as soon as possible. (Control: 1348, Australian Government Information Security Manual: Controls)
  • The organization must install the latest version of applications inside of 2 days, if the upgrade addresses critical security vulnerabilities. (Control: 1349, Australian Government Information Security Manual: Controls)
  • The organization must apply the latest product updates and security patches to the Database Management System software as soon as possible. (Control: 1244, Australian Government Information Security Manual: Controls)
  • The organization must not use a previous version of Secure Socket Layer before version 3.0. (Control: 0482, Australian Government Information Security Manual: Controls)
  • The organization should use the current version of Transport Layer Security instead of Secure Socket Layer. (Control: 1139, Australian Government Information Security Manual: Controls)
  • The organization should not use versions of S/MIME earlier than 3.0. (Control: 0490, Australian Government Information Security Manual: Controls)
  • All software should be up-to-date to reduce potential vulnerabilities to the system. (§ 3.5.8, Australian Government ICT Security Manual (ACSI 33))
  • The organization should use the latest version of all applications. (Mitigation Strategy Effectiveness Ranking 1, Strategies to Mitigate Targeted Cyber Intrusions)
  • The organization should use the latest version of the Operating System software. (Mitigation Strategy Effectiveness Ranking 2, Strategies to Mitigate Targeted Cyber Intrusions)
  • Use the latest version of applications. (# 1, Strategies to Mitigate Targeted Cyber Intrusions)
  • Use the latest Operating System version. (# 2, Strategies to Mitigate Targeted Cyber Intrusions)
  • Financial institutions should monitor and manage the life cycles of ICT assets, to ensure that they continue to meet and support business and risk management requirements. Financial institutions should monitor whether their ICT assets are supported by their external or internal vendors and developer… (3.5 55, Final Report EBA Guidelines on ICT and security risk management)
  • The device should check after initialization, and then periodically, whether security updates are available. (Provision 5.3-5, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • Keep software updated (5.3, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • The logical and physical IT systems which the cloud provider uses for the development and rendering of the cloud service as well as the network perimeters which are subject to the cloud provider's area of responsibility are equipped with anti-virus protection and repair programs which allow for a si… (Section 5.6 RB-05 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Has the organization upgraded to the latest version of sendmail and/or implemented patches for sendmail? (Table Row VI.8, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • On machines that are authorized Domain Name Server servers, have they been updated to the latest version and patch level? (App Table Active Content Filtering Row 2.b, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security AIX Benchmark, 1.0.1)
  • Ensure that Docker commands always make use of the latest version of their image Description: You should always ensure that you are using the latest version of the images within your repository and not cached older versions. Rationale: Multiple Docker commands such as `docker pull`, `docker run` etc… (5.27, The Center for Internet Security Docker Level 1 Docker Linux Benchmark, v 1.2.0)
  • Ensure that the version of Docker is up to date Description: Frequent releases for Docker are issued which address security vulnerabilities, resolve product bugs and bring in new functionality. You should keep a tab on these product updates and upgrade as frequently as possible in line with the gene… (1.1.2, The Center for Internet Security Docker Level 1 Linux Host OS Benchmark, v 1.2.0)
  • Ensure that Docker commands always make use of the latest version of their image Description: You should always ensure that you are using the latest version of the images within your repository and not cached older versions. Rationale: Multiple Docker commands such as `docker pull`, `docker run` etc… (5.27, The Center for Internet Security Docker Level 2 Docker Linux Benchmark, 1.2.0)
  • Ensure that the version of Docker is up to date Description: Frequent releases for Docker are issued which address security vulnerabilities, resolve product bugs and bring in new functionality. You should keep a tab on these product updates and upgrade as frequently as possible in line with the gene… (1.1.2, The Center for Internet Security Docker Level 2 Linux Host OS Benchmark, v 1.2.0)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security FreeBSD Benchmark, 1.0.5)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security HP-UX Benchmark, 1.4.2)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.0.5)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.1.1)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security Slackware Linux Benchmark, 1.1)
  • The latest OS patches are called for. (§ 1.1, The Center for Internet Security Solaris 10 Benchmark, 2.1.2)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security Solaris Benchmark, 1.5.0)
  • Apply the latest OS patches. (§ 1.1, The Center for Internet Security SuSE Linux Enterprise Server Benchmark, 2)
  • For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security patch list, to verify that current vendor patches are installed. (§ 6.1.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Examine policies related to security patch installation to verify they require installation of all critical new security patches within one month. (§ 6.1.b, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • The organization must ensure the latest vendor-supplied security patches have been installed. (§ 6.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security patch list, to verify that current vendor patches are installed. (§ 6.1.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Examine policies related to security patch installation to verify they require installation of all critical new security patches within one month. (§ 6.1.b Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • (Further Issues 7 § 2.1, ISF Security Audit of Networks)
  • Access to the network should be restricted to devices that meet minimum security configuration requirements, which includes verifying that devices have the latest systems and software patches installed. (CF.09.03.04c, The Standard of Good Practice for Information Security)
  • Access to the network should be restricted to devices that meet minimum security configuration requirements, which includes verifying that devices have the latest systems and software patches installed. (CF.09.03.04c, The Standard of Good Practice for Information Security, 2013)
  • All systems should be audited regularly using the Center for Internet Security tools to ensure all patches have been implemented. (Action 1.1.1 ¶ 1, SANS Computer Security Incident Handling, Version 2.3.1)
  • For all acquired application software, check that the version you are using is still supported by the vendor. If not, update to the most current version and install all relevant patches and vendor security recommendations. (Control 18.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers provided by the vendor in order to take advantage of the latest security functions and fixes. (Control 7.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization must install the latest stable version of all security-related updates inside of 30 days after the vendor releases an update. (Critical Control 10.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor. (CIS Control 7: Sub-Control 7.1 Ensure Use of Only Fully Supported Browsers and Email Clients, CIS Controls, 7.1)
  • Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor. (CIS Control 7: Sub-Control 7.1 Ensure Use of Only Fully Supported Browsers and Email Clients, CIS Controls, V7)
  • Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. (CIS Control 9: Safeguard 9.1 Ensure Use of Only Fully Supported Browsers and Email Clients, CIS Controls, V8)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The security program, in relation to protecting personal information, should include procedures for upgrading System Software. (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. (A1.2, Trust Services Criteria)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • using supported and trusted software or, alternatively, implement appropriate controls regarding the use of unsupported software; (Information Security Program Bullet 3 Deployment of Protective Measures Against the Identified Threats and Vulnerabilities ¶ 1 Sub-bullet 5, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • The organization must verify all system software is current and it has complete and current documentation. (CSR 3.4.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The web browser for remote access devices must be the most current supported version available and must have all the current and applicable security-related patches installed. (§ 5.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • The version of the BES should be version 4.0 with Service Pack 2 or later. (§ 2.2 (WIR1070), DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4)
  • Uses security software that is current, deployed effectively, and designed to keep up with the evolution of malicious code. (App A Objective 13:6e Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management establishes procedures to stay abreast of system vulnerabilities and software vendor patches, tests patches in a segregated environment, and installs them when appropriate. Additionally, determine the effectiveness of the following: (App A Objective 15:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization should monitor the Internet and vendor sites to find out about upgrades, security updates, and enhancements. (Pg 26, FFIEC IT Examination Handbook - Operations, July 2004)
  • The software vendor should be told to notify the agency in charge of the software of any major software changes and/or enhancements. (Pg 22, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, March 2003)
  • Is the firewall Operating System updated on a regular basis? (IT - Firewalls Q 13, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the Intrusion Detection System configuration current and up-to-date? (IT - IDS IPS Q 10, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the Operating System software current for each server? (IT - Servers Q 4, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • With the sophistication of the software packages today, keeping software updated is very important. Many packages can execute macros and some can connect to the Internet; both can potentially compromise security. All system software should be kept up to current patch levels to eliminate known vulner… (§ 4.3.3, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)
  • Information system software should be configured to automatically check for and install updates on a regular basis. Interviews should be conducted with personnel to ensure applications are automatically updated and installed. (SI-2.13, SI-2.14, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization should ensure all Bluetooth patches and upgrades are installed regularly. (Table 4-2 Item 28, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
  • Another option is using a "latest" tag for images and referencing this tag in deployment automation. However, because this tag is only a label attached to the image and not a guarantee of freshness, organizations should be cautious to not overly trust it. Regardless of whether an organization choose… (4.2.2 ¶ 2, NIST SP 800-190, Application Container Security Guide)
  • The organization must update the malicious code protection software, including the signature definitions, when new updates are available. (SG.SI-3 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Software is maintained, replaced, and removed commensurate with risk (PR.PS-02, The NIST Cybersecurity Framework, v2.0)