The Department of Technology Services is responsible for installing and managing security controls and technologies on behalf of the State of Utah.

5000-1002-S1.20090826 1

DTS Standard 5000-1002-S1

P

M

S

S

Effective Date: August 26, 2009 through August 25, 2011 Revised Date: N/A

Approved By: J. Stephen Fletcher

Authority: UCA §63F-1-103; Utah Administrative Code, R895-7

Acceptable Use of Information Technology Resources; Utah Administrative Code, R477-11 Discipline

S1.1 Purpose

The purpose of this standard is to define and establish the State of Utah’s

requirements to ensure that systems do not pose an unmanaged security risk for the State of Utah network, by ensuring applicable and required security patches are applied in a timely and effective manner.

S1.1.1 Background

This standard covers the requirements for software patch management. Patch management is the people, procedures and technology responsible for keeping computers current with updates developed for an existing software product. Security patch management is patch management with a focus on reducing security vulnerabilities. Patch Management is not a defensive

procedure in reaction to critical incidents. There are emergencies that warrant such cases, but security patch management should primarily be a proactive procedure for keeping the environment secure and reliable. Security patch management as a functioning procedure ensures that all identified software updates are in place, thereby eliminating vulnerabilities from the environment and mitigating the risk of computers being compromised.

The Department of Technology Services is responsible for installing and managing security controls and technologies on behalf of the State of Utah. S1.1.2 Scope

This standard applies to all agencies and administrative subunits of state government as defined by UCA §63F-1-102(7), et seq.

S1.1.3 Exceptions

The Chief Information Officer, or authorized designee, may acknowledge that under rare circumstances, certain associates will need to employ systems

that are not compliant with these standards. The Chief Information Officer, or authorized designee, must approve in writing all such instances.

5000-1002-S1.20090826 2

In such cases, a business case for non-compliance must be established and the request for exemption must be approved in advance through a risk acceptance review. The risk acceptance business case requires approval by the Information Owner (Agency Executive Director/Commissioner) or

authorized designee, the Chief Information Officer or authorized designee, and the Enterprise Information Security Office.

S1.2 Definitions Asset Custodian

The IT staff entrusted with administering and protecting specific electronic information resources and assets.

Asset Owner

The IT staff entrusted with administering and protecting specific electronic information resources and assets (Application Owner).

Information Steward

The individual responsible and accountable for assets entrusted to their care. Within the State‘s enterprise information security framework, executive directors are designated as the stewards responsible for the State’s information assets. Information Custodian

An individual entrusted with administering and protecting information resources and assets. Within the State’s enterprise security framework, the State’s Chief Information Officer (CIO) is designated as the chief information custodian of the State’s electronic information resources and assets.

S1.3 Standards

S1.3.1 Automatic Scanning

S1.3.1.1 Enterprise Information Security Staff will at a minimum, audit all networked computers monthly to determine the need for security patches. Automatic scanning systems administered from a central site, are superior to manual patching methods. It must be possible to scan by:

• IP Ranges and • Machine Name.

S1.3.1.1 Applies to the following classification of systems: Low 9 Med 9 High 9

S1.3.1.2 Automated scanning and deployment (patch management) systems must be able to provide list of:

5000-1002-S1.20090826 3

• Missing patches and or Services Packs; • OS versions;

• Patches that were successfully applied; and • Patches that could not be applied.

S1.3.1.2 Applies to the following classification of systems: Low 9 Med 9 High 9 S1.3.2 Patch Approval Process

Security patches may cause an application to malfunction, or other unexpected problems, patches must be scheduled using the current enterprise change management system.

S1.3.2.1 When a new security patch is announced and released the Enterprise Information Security Staff will work with the asset custodian to determine the risk associated with the patch.

S1.3.2.2 A risk level will be assigned to the security patch based on the vulnerability procedure process.

S1.3.2.3 The asset custodian will test the patch and based on the risk level apply the patches accordingly.

S1.3.2.4 The asset custodian will notify the change management group using the standard change request process.

S1.3.2.5 Once the customers affected by the patch are notified and change management has approved the update, the patch will be applied.

S1.3.2.6 It is the asset or application owner responsibility to resolve any incompatibility with the applications development or vendor.

S1.3.2 Applies to the following classification of systems: Low 9 Med 9 High 9

S1.3.3 Proactive Vulnerability Management Activities

5000-1002-S1.20090826 4

Specific security activities will be scheduled and conducted by the Enterprise Information Security Office on a regular ongoing basis to

identify, evaluate, and reduce vulnerabilities within the enterprise. Specific tasks include:

S1.3.3.1 Quarterly, vulnerability management will run reports showing the machines that are out of compliance with the current recommend patches levels.

S1.3.3.2 Quarterly, vulnerability management will scan the network to identify any new devices that are not detected by the patch management software.

S1.3.3.3 Quarterly, vulnerability management will run scans of the network to identify those machines that may have other vulnerabilities, unnecessary services or are susceptible to possible threats.

S1.3.3 Applies to the following classification of systems: Low 9 Med 9 High 9 S1.4 Document History

Originator: Michael Casey, Chief Information Security Officer Next Review: August 25, 2010

Reviewed Date: N/A Reviewed By: N/A

S1.4.1 Document Information

Property/Name Value

Classification For Official Use Only

Policy Reference 5000-1000 System and Information Integrity Policy 5000-1002 Patch Management Security Policy S1.4.2 Revision History

Author Description Purpose Date Modified Vers. # M Allred N/A Establish initial

standard 5/17/07 1.0

M Casey

Update to enterprise organizational changes

5000-1002-S1.20090826 5

M Casey

Update incorporating Security

Administration review and comments

07/1/2009 1.2

S1.4.3 Regulatory and Legal Index

Regulatory References Legal References

DTS Representative

Signature:

Date: Name