Back

Disseminate and communicate software update information to users and regulators.


CONTROL ID
06602
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a software release policy., CC ID: 00893

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A software business operator under Article 2 of the Software Industry Promotion Act shall, when he or she produced a program that improves weaknesses in security, notify the Korea Internet and Security Agency of its production, and shall notify users of the software of the production at least twice … (Article 47-4(3), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • The manufacturer should inform the user in a recognizable and apparent manner that a security update is required together with information on the risks mitigated by that update. (Provision 5.3-11, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • Does the organization disseminate patch update information throughout the organization's local systems administrators? (Table Row III.13, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The merchant should require the following activities of its solution provider: - The solution provider should regularly update their payment application and indicate to the merchant when updates are available and are safe to install. - The solution provider should have restrictions on their payment … (¶ 5.3.5, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • Release information about the success or failure and future release dates shall be furnished to the Change Management process, the incident management process, and the service request management process. (§ 9.3 ¶ 9, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • For software systems assigned to Class A, Class B, and Class C software safety classes, the medical device manufacturer shall notify regulators and users about any problems in released software products, the consequences of not fixing them, the available fixes, and how to get and install them. (§ 6.2.5, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a software bill of materials [SBOM]). (PS.3.2, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)