30) Does your organisation ensure that all IT systems are regularly patched with security patches in line with vendor recommendations, including end point devices, servers, network devices, and applications?
Answer yes if your organisation runs a patch management process to ensure that all IT systems (end points, servers, network devices, and applications) are updated with security patches in line with the manufacturer's guidance. Please describe your patch management processes in the notes section including how you ensure all systems are in scope, or upload supporting documents (as PDF files).
What is it?
When security vulnerabilities are discovered in software, whether in an application or operating system, security patches are typically released by the publisher.
The timely installation of such patches is critical to not leaving systems with vulnerabilities that can be exploited by attackers.
Why should I have it?
Security vulnerabilities in software can be exploited to gain access to your systems. It is important to install security patches to rectify these vulnerabilities as soon as possible. This must be done in a timely manner as there is often an “arms race” of sorts from when security vulnerabilities are disclosed.
Once a patch is available, it means it can be reverse engineered by potential attackers to fully understand the vulnerability and how to exploit it (if this has not already been disclosed or discovered). Therefore, attackers will be developing methods to exploit the vulnerabilities and it is essential to get patches installed before they have to do so. Alternatively, exploits (code that can exploit the vulnerability) may already be available, making it even more important to patch systems quickly.
How to implement the control
Different systems, applications, and operating systems will have different patches and may need to be patched using different approaches or methodologies. The administrators of different kinds of systems are likely best placed to determine how to approach each scenario but collaboration between groups should be sought after and may be facilitated through the use of the right automated patching tooling.
Not all vulnerabilities have the same severity or level of exposure. Some may only be exploitable under certain conditions or mitigating actions can be taken, whereas others can present immediate and severe scenarios that are easy to exploit. As such, you should have a policy dictating how different types and severities of vulnerabilities are to be prioritised within your organisation’s capabilities and addressed, including SLAs.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and process that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
