1. PM Policy
1.1. Purpose
1.1.1. create a consistently configured environment that is secure against known vulnerabilities in operating systems and application software
1.2. Scope
1.2.1. Work stations
1.2.1.1. OS
1.2.1.2. White-listed Application run on workstation
1.2.2. Servers
1.2.2.1. OS
1.2.2.2. Commercial App+ In-house App
1.2.3. Network Devices
1.3. Role and Responsiblities
1.3.1. IT Security Dept
1.3.1.1. routinely assessing compliance with the patching policy
1.3.1.2. provide guidance to all groups in issues of security and patch management
1.3.2. Infrastructure Management Dept
1.3.2.1. will manage the patching needs for the Servers, Network Devices
1.3.3. Workstation Imaging Dept
1.3.3.1. will manage the patching needs for the Work stations
1.3.4. Change management Board
1.3.4.1. responsible for approving the monthly and emergency patch management deployment requests
1.4. Policy
1.4.1. General Policy
1.4.1.1. Patch deployment in production systems must be conducted out of business hours
1.4.1.2. Workstations,servers and network devices owned by VCB must have up-to-date operating system security patches installed to protect the asset from known vulnerabilities.
1.4.1.2.1. any exception is required formal documented approval from the CIO
1.4.2. PM Cycle
1.4.2.1. 1. Security and Patch Info Source
1.4.2.1.1. Assign a person/team responsible to keep update new release patches, issues relevant to VCB environment
1.4.2.1.2. Connect to vendors often, subscribe their announcement list
1.4.2.2. 3. Patch Prioritization and Scheduling
1.4.2.2.1. Patch Scheduling type
1.4.2.2.2. Building a patching timeline matrix (priority of system and Risk level from section 2)
1.4.2.2.3. sample patching timeline matrix
1.4.2.3. 3. Patch testing
1.4.2.3.1. Validate downloaded patch (verify patch source, integrity, check sum..)
1.4.2.3.2. Test patch on test environment
1.4.2.4. 4. Disaster Recovery Plan
1.4.2.4.1. Develop Disaster Recovery plan
1.4.2.5. 5. Change management
1.4.2.5.1. Approve
1.4.2.6. 6. Install and Deploy Patch
1.4.2.7. 7. Audit and Assessment
1.4.2.8. 9. Update Configuration management
1.5. Monitoring and Audting
1.5.1. Active patching teams noted in the Roles and Responsibility section are required to compile and maintain reporting metrics that summarize the outcome of each patching cycle. These reports shall be used to evaluate the current patching levels of all systems and to assess the current level of risk. These reports shall be made available to Information Security and Internal Audit upon request
1.6. Enforcement
1.6.1. Implementation and enforcement of this policy is ultimately the responsibility of
1.6.2. Information Security and Internal Audit may conduct random assessments to ensure compliance with policy without notice
1.6.3. Any system found in violation of this policy shall require immediate corrective action
1.6.4. Repeated failures to follow policy may lead to disciplinary action
1.7. Exception
1.7.1. require formal documented approval from the CIO