5000-1002-S1.20090826 1
DTS Standard 5000-1002-S1
P
ATCHM
ANAGEMENTS
ECURITYS
TANDARD Status: ApprovedEffective Date: August 26, 2009 through August 25, 2011 Revised Date: N/A
Approved By: J. Stephen Fletcher
Authority: UCA §63F-1-103; Utah Administrative Code, R895-7
Acceptable Use of Information Technology Resources; Utah Administrative Code, R477-11 Discipline
S1.1 Purpose
The purpose of this standard is to define and establish the State of Utah’s
requirements to ensure that systems do not pose an unmanaged security risk for the State of Utah network, by ensuring applicable and required security patches are applied in a timely and effective manner.
S1.1.1 Background
This standard covers the requirements for software patch management. Patch management is the people, procedures and technology responsible for keeping computers current with updates developed for an existing software product. Security patch management is patch management with a focus on reducing security vulnerabilities. Patch Management is not a defensive
procedure in reaction to critical incidents. There are emergencies that warrant such cases, but security patch management should primarily be a proactive procedure for keeping the environment secure and reliable. Security patch management as a functioning procedure ensures that all identified software updates are in place, thereby eliminating vulnerabilities from the environment and mitigating the risk of computers being compromised.
The Department of Technology Services is responsible for installing and managing security controls and technologies on behalf of the State of Utah. S1.1.2 Scope
This standard applies to all agencies and administrative subunits of state government as defined by UCA §63F-1-102(7), et seq.
S1.1.3 Exceptions
The Chief Information Officer, or authorized designee, may acknowledge that under rare circumstances, certain associates will need to employ systems
that are not compliant with these standards. The Chief Information Officer, or authorized designee, must approve in writing all such instances.
5000-1002-S1.20090826 2
In such cases, a business case for non-compliance must be established and the request for exemption must be approved in advance through a risk acceptance review. The risk acceptance business case requires approval by the Information Owner (Agency Executive Director/Commissioner) or
authorized designee, the Chief Information Officer or authorized designee, and the Enterprise Information Security Office.
S1.2 Definitions Asset Custodian
The IT staff entrusted with administering and protecting specific electronic information resources and assets.
Asset Owner
The IT staff entrusted with administering and protecting specific electronic information resources and assets (Application Owner).
Information Steward
The individual responsible and accountable for assets entrusted to their care. Within the State‘s enterprise information security framework, executive directors are designated as the stewards responsible for the State’s information assets. Information Custodian
An individual entrusted with administering and protecting information resources and assets. Within the State’s enterprise security framework, the State’s Chief Information Officer (CIO) is designated as the chief information custodian of the State’s electronic information resources and assets.
S1.3 Standards
S1.3.1 Automatic Scanning
S1.3.1.1 Enterprise Information Security Staff will at a minimum, audit all networked computers monthly to determine the need for security patches. Automatic scanning systems administered from a central site, are superior to manual patching methods. It must be possible to scan by:
• IP Ranges and • Machine Name.
S1.3.1.1 Applies to the following classification of systems: Low 9 Med 9 High 9
S1.3.1.2 Automated scanning and deployment (patch management) systems must be able to provide list of:
5000-1002-S1.20090826 3
• Missing patches and or Services Packs; • OS versions;
• Patches that were successfully applied; and • Patches that could not be applied.
S1.3.1.2 Applies to the following classification of systems: Low 9 Med 9 High 9 S1.3.2 Patch Approval Process
Security patches may cause an application to malfunction, or other unexpected problems, patches must be scheduled using the current enterprise change management system.
S1.3.2.1 When a new security patch is announced and released the Enterprise Information Security Staff will work with the asset custodian to determine the risk associated with the patch.
S1.3.2.2 A risk level will be assigned to the security patch based on the vulnerability procedure process.
S1.3.2.3 The asset custodian will test the patch and based on the risk level apply the patches accordingly.
S1.3.2.4 The asset custodian will notify the change management group using the standard change request process.
S1.3.2.5 Once the customers affected by the patch are notified and change management has approved the update, the patch will be applied.
S1.3.2.6 It is the asset or application owner responsibility to resolve any incompatibility with the applications development or vendor.
S1.3.2 Applies to the following classification of systems: Low 9 Med 9 High 9
S1.3.3 Proactive Vulnerability Management Activities
5000-1002-S1.20090826 4
Specific security activities will be scheduled and conducted by the Enterprise Information Security Office on a regular ongoing basis to
identify, evaluate, and reduce vulnerabilities within the enterprise. Specific tasks include:
S1.3.3.1 Quarterly, vulnerability management will run reports showing the machines that are out of compliance with the current recommend patches levels.
S1.3.3.2 Quarterly, vulnerability management will scan the network to identify any new devices that are not detected by the patch management software.
S1.3.3.3 Quarterly, vulnerability management will run scans of the network to identify those machines that may have other vulnerabilities, unnecessary services or are susceptible to possible threats.
S1.3.3 Applies to the following classification of systems: Low 9 Med 9 High 9 S1.4 Document History
Originator: Michael Casey, Chief Information Security Officer Next Review: August 25, 2010
Reviewed Date: N/A Reviewed By: N/A
S1.4.1 Document Information
Property/Name Value
Classification For Official Use Only
Policy Reference 5000-1000 System and Information Integrity Policy 5000-1002 Patch Management Security Policy S1.4.2 Revision History
Author Description Purpose Date Modified Vers. # M Allred N/A Establish initial
standard 5/17/07 1.0
M Casey
Update to enterprise organizational changes
5000-1002-S1.20090826 5
M Casey
Update incorporating Security
Administration review and comments
07/1/2009 1.2
S1.4.3 Regulatory and Legal Index
Regulatory References Legal References
DTS Representative
Signature:
Date: Name