Back

Install critical security updates and important security updates in a timely manner.


CONTROL ID
01696
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Use the latest approved version of all software., CC ID: 00897

This Control has the following implementation support Control(s):
  • Include risk information when communicating critical security updates., CC ID: 14948


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Implementation of the security features recommended by device and system vendors. (Critical components of information security 24) viii. ¶ 1 d., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A relevant entity must ensure that security patches are applied to address vulnerabilities to every system, and apply such security patches within a timeframe that is commensurate with the risks posed by each vulnerability. (IV. 4.2(a), MAS-201908-Notice 655 Cyber Hygiene)
  • When using a software-based isolation mechanism to share a physical server's hardware, patches are applied to the isolation mechanism and underlying operating system in a timely manner. (Security Control: 1606; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Security updates are applied to mobile devices as soon as they become available. (Control: ISM-1366; Revision: 2, Australian Government Information Security Manual, June 2023)
  • When using a software-based isolation mechanism to share a physical server's hardware, patches, updates or vendor mitigations for security vulnerabilities are applied to the isolation mechanism and underlying operating system in a timely manner. (Control: ISM-1606; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. (Control: ISM-1690; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release. (Control: ISM-1691; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours if an exploit exists. (Control: ISM-1692; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release. (Control: ISM-1695; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within 48 hours if an exploit exists. (Control: ISM-1696; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. (Control: ISM-1694; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Patches, updates or vendor mitigations for security vulnerabilities in drivers and firmware are applied within two weeks of release, or within 48 hours if an exploit exists. (Control: ISM-1697; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Patches, updates or vendor mitigations for security vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices are applied within two weeks of release, or within 48 hours if an exploit exists. (Control: ISM-1751; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Patches, updates or vendor mitigations for security vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release. (Control: ISM-1693; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Security updates are applied to mobile devices as soon as they become available. (Control: ISM-1366; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploi… (Control: ISM-1692; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release. (Control: ISM-1693; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release. (Control: ISM-1694; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within two weeks of release. (Control: ISM-1695; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. (Control: ISM-1696; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Patches, updates or other vendor mitigations for vulnerabilities in drivers and firmware are applied within two weeks of release. (Control: ISM-1697; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release. (Control: ISM-1691; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Patches, updates or other vendor mitigations for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices are applied within two weeks of release. (Control: ISM-1751; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. (Control: ISM-1876; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. (Control: ISM-1877; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Patches, updates or other vendor mitigations for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. (Control: ISM-1878; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Patches, updates or other vendor mitigations for vulnerabilities in drivers and firmware are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. (Control: ISM-1879; Revision: 0, Australian Government Information Security Manual, September 2023)
  • When using a software-based isolation mechanism to share a physical server's hardware, patches, updates or vendor mitigations for vulnerabilities are applied to the isolation mechanism and underlying operating system in a timely manner. (Control: ISM-1606; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release. (Control: ISM-1690; Revision: 1, Australian Government Information Security Manual, September 2023)
  • The procedures for testing and applying software patches, software updates, and signatures in order to maintain the security and functionality of System Software should be included in the Standard Operating Procedures for the information technology security officer. (Control: 0790 Table Row "System maintenance", Australian Government Information Security Manual: Controls)
  • The organization must apply security patches as soon as possible. (Control: 0940, Australian Government Information Security Manual: Controls)
  • The organization must install critical security patches inside of 2 days. (Control: 1144, Australian Government Information Security Manual: Controls)
  • The organization must apply the latest product updates and security patches to the Database Management System software as soon as possible. (Control: 1244, Australian Government Information Security Manual: Controls)
  • Wireless Access Points and wireless devices should be upgraded to support 802.11w. (Control: 1335, Australian Government Information Security Manual: Controls)
  • The organization should apply security updates to mobile devices on a regular basis. (Control: 1049, Australian Government Information Security Manual: Controls)
  • selection and configuration — considerations when selecting and configuring vendor supplied software include due diligence as to the security testing conducted to identify vulnerabilities (either intended or deliberate); user access management capabilities (e.g. role based, support of segregation … (Attachment D 2(c)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • All patches should be up-to-date to reduce potential vulnerabilities to the system. (§ 3.5.8, Australian Government ICT Security Manual (ACSI 33))
  • Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release? (A6.4., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Java, Adobe Reader and .Net.) installed within 14 days of release? (A6.5., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Are all tablets kept up to date with vendor updates and application updates? (Patch management Question 50, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Security updates shall be timely. (Provision 5.3-8, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • The cloud provider draws up regular reports on the performed audits, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical safeguards for the secure configuration and monitoring of the management console (both the self- service of the cu… (Section 5.6 RB-05 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Does the organization add timetables to patch potential vulnerabilities? (Table Row III.14, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are external partners required to patch all non-critical patches in 30 days? (Table Row III.15, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are external partners required to patch critical patches to servers and clients in 48 hours? (Table Row III.16, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are firewalls updated when a patch is available? (Table Row V.12, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are short timetables mandated for the test and installation of software patches that fix security flaws? (Table Row XI.2, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Has the organization installed the latest patches for sadmind? (App Table Active Content Filtering Row 3, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Has the organization installed the latest patches for mountd? (App Table Active Content Filtering Row 3, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • After installation, the latest security updates should be installed to ensure no vulnerabilities exist in the software. (Pg 25, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • There are several settings that need to be set to ensure that Windows Update will check for, download, and install any available updates. When an update has been downloaded and users log off the system, they will be prompted with a dialog box. The Do Not Display 'Install Updates and Shut Down' optio… (Pg 94, Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings)
  • Ensure updates, patches, and additional security software are installed Description: Periodically patches are released for included software either due to security flaws or to include additional functionality. _Note: Site policy may mandate a testing period before install onto production systems for… (1.9, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure updates, patches, and additional security software are installed Description: Periodically patches are released for included software either due to security flaws or to include additional functionality. _Note: Site policy may mandate a testing period before install onto production systems for… (1.9, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • In order to prevent a system from being accessed by an unauthorized user via a known defect, system updates should be checked for regularly. The software should be set to automatically check on either a weekly or daily basis. (§ 2.2, The Center for Internet Security Mac OS X Tiger Level I Security Benchmark, 1)
  • To prevent known vulnerabilities from existing on the system, the latest updates and patches should be installed. These updates should be checked for and downloaded automatically. (§ 1.3, § 9.1, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
  • Title: Use the Latest OS Release Description: Periodically, Red Hat releases updates to the Red Hat operating system to support new hardware platforms, deliver new functionality as well as the bundle together a set of patches that can be tested as a unit. Rationale: Newer updates may contain s… (Rule:xccdf_org.cisecurity.benchmarks_rule_1.7_Use_the_Latest_OS_Release, The Center for Internet Security Red Hat Enterprise Linux 6 Level 1 Benchmark, 1.2.0)
  • Title: Use the Latest OS Release Description: Periodically, Red Hat releases updates to the Red Hat operating system to support new hardware platforms, deliver new functionality as well as the bundle together a set of patches that can be tested as a unit. Rationale: Newer updates may contain s… (Rule:xccdf_org.cisecurity.benchmarks_rule_1.7_Use_the_Latest_OS_Release, The Center for Internet Security Red Hat Enterprise Linux 6 Level 2 Benchmark, 1.2.0)
  • Hot fixes are released quickly after a bug or vulnerability is discovered. They are not tested as well as Service Packs. A released hot fix contains information on whether or not it is security related and what problem it fixes. You should proceed with caution when installing a hot fix and weigh the… (Pg 9, Pg 10, The Center for Internet Security Windows 2000 Benchmark, 2.2.1)
  • Security software updates are released as needed throughout the year. Even though they are tested before being released, they are not tested as thoroughly as Service Packs are. If you do not have a test environment to test them in, wait for a couple of weeks prior to installation and watch for indus… (§ 1.2.1, The Center for Internet Security Windows 2000 Professional Benchmark, 2.2.1)
  • Hot fixes are released quickly after a bug or vulnerability is discovered. They are not tested as well as Service Packs. A released hot fix contains information on whether or not it is security related and what problem it fixes. You should proceed with caution when installing a hot fix and weigh the… (§ 9, § 10, The Center for Internet Security Windows 2000 Professional Operating System Level 2 Benchmark, 2.2.1)
  • Ensure that all available critical hot fixes have been installed. (§ 1.1.2, The Center for Internet Security Windows 2000 Server Benchmark, 2.2.1)
  • Hot fixes are released quickly after a bug or vulnerability is discovered. They are not tested as well as Service Packs. A released hot fix contains information on whether or not it is security related and what problem it fixes. You should proceed with caution when installing a hot fix and weigh the… (Pg 11, The Center for Internet Security Windows NT Benchmark, 1.0.5)
  • The organization must ensure that all critical and important security updates available to date are installed. Although security updates are generally reliable and go through some testing, it is significantly possible that a security update addressing a single problem is not compatible with every so… (§ 1.2.1, The Center for Internet Security Windows XP Professional SP1/SP2 Benchmark, 2.01)
  • Ensure updates, patches, and additional security software are installed Description: Periodically patches are released for included software either due to security flaws or to include additional functionality. Rationale: Newer patches may contain security enhancements that would not be available thr… (1.9, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
  • Ensure updates, patches, and additional security software are installed Description: Periodically patches are released for included software either due to security flaws or to include additional functionality. Rationale: Newer patches may contain security enhancements that would not be available thr… (1.9, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
  • The organization must ensure the latest vendor-supplied security patches have been installed within 1 month of release. (§ 6.1.b, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Examine the policies and procedures for patch installation to verify the processes include installing applicable critical security patches inside of 1 month of release. (Testing Procedures § 6.2.a Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the policies and procedures for patch installation to verify the processes include installing applicable security patches inside an appropriate time period. (Testing Procedures § 6.2.a Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Compare the list of installed security patches for a sample of system components and software to the most recent vendor security patch list to verify that the applicable critical security patches are installed inside of 1 month of release. (Testing Procedures § 6.2.b Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Compare the list of installed security patches for a sample of system components and software to the most recent vendor security patch list to verify that the applicable security patches are installed inside an appropriate time period. (Testing Procedures § 6.2.b Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must install critical security patches within one month of release. (§ 6.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Vendor-supplied security patches must be installed on all system components and software. (PCI DSS Requirements § 6.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Critical security patches must be installed inside of 1 month of release. (PCI DSS Requirements § 6.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Are critical security patches installed within one month of release? (6.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are critical security patches installed within one month of release? (6.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are all system components and software protected from known vulnerabilities by installing applicable vendor supplied security patches? (6.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Are critical security patches installed within one month of release? (6.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Are critical security patches installed within one month of release? (6.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Are critical security patches installed within one month of release? (6.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are critical security patches installed within one month of release? (6.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Are critical security patches installed within one month of release? (6.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Are critical security patches installed within one month of release? (6.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are critical security patches installed within one month of release? (6.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are critical security patches installed within one month of release? (6.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are critical security patches installed within one month of release? (6.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: (6.3.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release. (6.3.3 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity (for example, within three months of release). (6.3.3 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine policies and procedures to verify processes are defined for addressing vulnerabilities by installing applicable security patches/updates in accordance with all elements specified in this requirement. (6.3.3.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Are critical security patches installed within one month of release? (PCI DSS Question 6.2(b), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are critical security patches installed within one month of release? (PCI DSS Question 6.2(b), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Are critical security patches installed within one month of release? (PCI DSS Question 6.2(b), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are critical security patches installed within one month of release? (PCI DSS Question 6.2(c), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are critical security patches installed within one month of release? (PCI DSS Question 6.2(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are critical security patches installed within one month of release? (PCI DSS Question 6.2(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: (6.3.3, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Critical or high-security patches/updates are installed within one month of release. (6.3.3 Bullet 1, Self-Assessment Questionnaire A and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: (6.3.3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release. (6.3.3 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: (6.3.3, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release. (6.3.3 Bullet 1, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: (6.3.3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release. (6.3.3 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: (6.3.3, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release. (6.3.3 Bullet 1, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: (6.3.3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release. (6.3.3 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity (for example, within three months of release). (6.3.3 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release. (6.3.3 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity (for example, within three months of release). (6.3.3 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: (6.3.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The patch management process should describe methods of deploying patches in a timely way (e.g., grouping multiple patches and using software distribution tools). (CF.10.01.06d, The Standard of Good Practice for Information Security)
  • Regular reviews of servers, mobile devices, and consumer devices should be performed to ensure that updates to malware protection software are applied in defined timescales. (CF.10.03.07c, The Standard of Good Practice for Information Security)
  • Regular reviews of servers, mobile devices, and consumer devices should be performed to ensure that updates to malware protection software are applied in defined timescales. (CF.10.03.07c, The Standard of Good Practice for Information Security, 2013)
  • The organization should ensure critical patches are implemented in the shortest time period possible. (Action 1.1.1 ¶ 2, SANS Computer Security Incident Handling, Version 2.3.1)
  • For all acquired application software, check that the version you are using is still supported by the vendor. If not, update to the most current version and install all relevant patches and vendor security recommendations. (Control 18.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Install the latest stable version of any security-related updates on all network devices. (Control 11.5, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Mobile devices connecting to corporate networks or storing and accessing company information validated shall allow for remote validation to download the latest security patches by company IT personnel. All mobile devices shall have the latest available security-related patches installed upon general… (MOS-19, Cloud Controls Matrix, v3.0)
  • Minimise the occurrence of known technical vulnerabilities within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. (2.2 Control Objective, Swift Customer Security Controls Framework (CSCF), v2019)
  • Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor. (CIS Control 3: Sub-Control 3.4 Deploy Automated Operating System Patch Management Tools, CIS Controls, 7.1)
  • Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor. (CIS Control 3: Sub-Control 3.5 Deploy Automated Software Patch Management Tools, CIS Controls, 7.1)
  • Install the latest stable version of any security- related updates on all network devices. (CIS Control 11: Sub-Control 11.4 Install the Latest Stable Version of Any Security- Related Updates on All Network Devices, CIS Controls, 7.1)
  • Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor. (CIS Control 3: Sub-Control 3.4 Deploy Automated Operating System Patch Management Tools, CIS Controls, V7)
  • Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor. (CIS Control 3: Sub-Control 3.5 Deploy Automated Software Patch Management Tools, CIS Controls, V7)
  • Install the latest stable version of any security- related updates on all network devices. (CIS Control 11: Sub-Control 11.4 Install the Latest Stable Version of Any Security- Related Updates on All Network Devices, CIS Controls, V7)
  • Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise asset… (CIS Control 9: Safeguard 9.3 Maintain and Enforce Network-Based URL Filters, CIS Controls, V8)
  • Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • using automatic software updating functionality or, alternatively, manually monitoring the availability of available software updates and installing updates, and spot check to ensure that updates are applied when necessary; (Information Security Program Bullet 3 Deployment of Protective Measures Against the Identified Threats and Vulnerabilities ¶ 1 Sub-bullet 7, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Security patching, including manual or managed updates; (Attachment 1 Section 1. 1.3. Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • Security patching, including manual or managed updates; (Attachment 1 Section 1. 1.3. Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • For those methods identified in Part 3.1 that use signatures or patterns, have a process for the update of the signatures or patterns. The process must address testing and installing the signatures or patterns. (CIP-007-6 Table R3 Part 3.3 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - System Security Management CIP-007-6, Version 6)
  • A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Asset… (CIP-007-6 Table R2 Part 2.1 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - System Security Management CIP-007-6, Version 6)
  • At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1. (CIP-007-6 Table R2 Part 2.2 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - System Security Management CIP-007-6, Version 6)
  • Are security patches reviewed and applied to network devices? (§ G.11.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Table F-1: For Windows 2000 Server, the organization must implement all critical operating system security patches. Table F-2: For Windows 2003 Server, the organization must implement all critical operating system security patches. Table F-3: For Windows 2000 Professional, the organization must inst… (Table F-1, Table F-2, Table F-3, Table F-4, Table F-6, Table F-7, Table F-8, Table F-9, CMS Business Partners Systems Security Manual, Rev. 10)
  • All security-related patches should be installed on the system in a timely fashion. See Appendix B of DISA Windows Server 2003 Security Checklist, Version 6, Release 1.3 for a list of all security bulletins and updates. Installing Service Pack 1 and 2 will fix many of these vulnerabilities. (§ 5.13.1, App B, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • Security-related software patches should be installed on the system in a timely fashion. Appendix B of the Windows Vista Security Checklist Version 6, Release 1.3 document contains a list of all security bulletins and updates that should be installed. Installing Service Pack 1 and 2 will fix many of… (§ 3.13 (2.019), App B, DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • All security software patches should be installed on the system in a timely fashion. Appendix B of the Windows XP Security Checklist Version 6, Release 1.3 document contains a list of all security bulletins and updates that should be installed. Installing Service Pack 1 and 2 will fix many of the li… (§ 5.12.1, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • Technical Surveillance Countermeasure equipment shall be kept current. (§ 10.c, SECNAV Instruction 3850.4, Technical Surveillance Countermeasures (TSCM) Program)
  • An organization shall ensure cellular devices install critical patches and upgrades to the Operating System as soon as they become available. (§ 5.5.7.3.1(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency, software developer, or vendor shall develop and implement a local policy for promptly installing newly released security relevant patches, service packs, and fixes. (§ 5.10.4.1 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • A patch management program is implemented and ensures that software and firmware patches are applied in a timely manner. (Domain 3: Assessment Factor: Corrective Controls, PATCH MANAGEMENT Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Installs the latest version of security-related updates on network devices, when appropriate. (App A Objective 13:3f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization should monitor the Internet and vendor sites for upgrades, security updates, and enhancements and should ensure the latest updates are installed on the system. (Pg 26, FFIEC IT Examination Handbook - Operations, July 2004)
  • Installs security-relevant software and firmware updates within [FedRAMP Assignment: thirty (30) days of release of updates] of the release of the updates; and (SI-2c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Installs security-relevant software and firmware updates within [FedRAMP Assignment: thirty (30) days of release of updates] of the release of the updates; and (SI-2c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Installs security-relevant software and firmware updates within [FedRAMP Assignment: thirty (30) days of release of updates] of the release of the updates; and (SI-2c. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Install security-relevant software and firmware updates within [FedRAMP Assignment: at least monthly] of the release of the updates; and (SI-2c., FedRAMP Security Controls High Baseline, Version 5)
  • Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [FedRAMP Assignment: at least monthly]. (SI-2(2) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Install security-relevant software and firmware updates within [FedRAMP Assignment: within thirty (30) days of release of updates] of the release of the updates; and (SI-2c., FedRAMP Security Controls Low Baseline, Version 5)
  • Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [FedRAMP Assignment: at least monthly]. (SI-2(2) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Install security-relevant software and firmware updates within [FedRAMP Assignment: within thirty (30) days of release of updates] of the release of the updates; and (SI-2c., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Are the firewall patches up to date? (IT - Firewalls Q 14, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union Information Technology policy include the frequency for system patches and updates? (IT - Policy Checklist Q 13, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]. (SI-2(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]. (SI-2(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components]. (SI-2(5) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Security updates are released as soon as possible after the discovery of a problem. All updates should be installed as soon as practical. (§ 4.3.2, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)
  • Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensure that the application of security patches for commercial products integrated into system design meet the timelines dictated by the management authority for the intended operational environment. (T0086, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Use of base layers from trusted sources only, frequent updates of base layers, and selection of base layers from minimalistic technologies like Alpine Linux and Windows Nano Server to reduce attack surface areas. (4.1.2 ¶ 1 (4), NIST SP 800-190, Application Container Security Guide)
  • Organizations should implement management practices and tools to validate the versioning of components provided for base OS management and functionality. Even though containerspecific OSs have a much more minimal set of components than general-purpose OSs, they still do have vulnerabilities and stil… (4.5.3 ¶ 1, NIST SP 800-190, Application Container Security Guide)
  • The organization should locate flaw remediation protection mechanisms centrally and install software updates automatically. (App F § SI-2(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Ensure that the application of security patches for commercial products integrated into system design meet the timelines dictated by the management authority for the intended operational environment. (T0086, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization installs {organizationally documented security-relevant software and firmware updates} automatically to {organizationally documented information system components}. (SI-2(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components]. (SI-2(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components]. (SI-2(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]. (SI-2(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components]. (SI-2(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]. (SI-2(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and (SI-2c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components]. (SI-2(5) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Before configuring your Windows 2000 system, ensure that the latest hot fixes have been installed. (Pg 1, NSA Guide to Securing Microsoft Windows 2000 Group Policy, Version 1.1)
  • There are several settings that need to be set to ensure that Windows Update will check for, download, and install any available updates. When an update has been downloaded and users log off the system, they will be prompted with a dialog box. The Do Not Display 'Install Updates and Shut Down' optio… (Pg 101, Pg 102, NSA Guide to Security Microsoft Windows XP)
  • Apply latest OS patches. In addition to installing the Solaris Recommended Patch Clusters, administrators may wish to also check the Solaris 9 patch report file. Keeping up to date with vendor patches is critical for the security and reliability of the system. (§ 1.2, NSA Guide to the Secure Configuration of Solaris 9, Version 1.0)
  • for personal information that is stored or accessible on a system that is connected to the Internet, reasonably up-to-date software security protection that can support updates and patches, including, but not limited to, firewall protection, operating system security patches and malicious software p… (§ 38a-999b(b)(2)(B)(vi), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
  • Anyone who stores, licenses, owns, or maintains personal information about a Massachusetts resident and electronically transmits or stores that information must establish and maintain a security system (which must be included in the comprehensive, written information security program) for all comput… (§ 17.04(6), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts)
  • Installs security-relevant software and firmware updates within [TX-RAMP Assignment: within 30 days of release of updates] of the release of the updates; and (SI-2c., TX-RAMP Security Controls Baseline Level 1)
  • Installs security-relevant software and firmware updates within [TX-RAMP Assignment: within 30 days of release of updates] of the release of the updates; and (SI-2c., TX-RAMP Security Controls Baseline Level 2)