South Plains College
Information Services (SPC-IS)
Patch Management Standard: I-E(b)
Purpose and Benefits
Security patch management (patch management) is a practice designed to prevent the proactive exploitation of IT vulnerabilities within an organization. By applying security-related software or firmware updates (patches) to applicable IT systems, the expected result is reduced time and money spent dealing with exploits by reducing or eliminating the related vulnerability.
Scope
This Standard relates specifically to vulnerabilities that can be addressed by a software or firmware update (patch) and applies to all software used on SPC’s systems. For requirements on addressing non-patched vulnerabilities, the Vulnerability Scanning Standard: I-E(d) should be followed.
Information Statement
- The SPC Help Desk organization is responsible for patch management.
- The SPC patch management processes include:
- monitoring security sources for vulnerabilities, patch and non-patch remediation, and emerging threats;
- overseeing patch distribution, including verifying that a change control procedure is being followed;
- testing for stability and deploying patches; and
- using an automated centralized patch management distribution tool, whenever technically
feasible, which:
- maintains a database of patches;
- deploys patches to endpoints; and
- verifies the installation of patches.
- Appropriate separation of duties must exist so that the individual(s) verifying patch distribution is not the same individual(s) distributing the patches.
- According to the Information Security Policy, all entities must maintain an inventory of hardware and software assets, and patch management must incorporate all installed IT assets.
- Patch management must be prioritized based on the severity of the vulnerability the patch addresses. In most cases, severity ratings are based on the Common Vulnerability Scoring System (CVSS). A CVSS score of 7-10 is considered a high-impact vulnerability, a CVSS score of 4-6.9 is considered a moderate-impact vulnerability, and a CVSS score of 0-3.9 is considered a low-impact vulnerability.
- To the extent possible, the patching process must follow the timeline contained in the table below:
Impact/Severity |
Patch Initiated |
Patch Completed |
High |
Within 24 hours of patch release |
Within 1 week of patch release |
Medium |
Within 1 week of patch release |
Within 1 month of patch release |
Low |
Within 1 month of patch release |
Within 2 months of patch release, unless ISO determines this to be an insignificant risk to the environment |
- If patching cannot be completed within the timeframe listed in the table above, compensating controls must be implemented within the timeframes above, and the exception process must be followed.
- If a patch requires a reboot for installation, the reboot must occur within the timeframes outlined above.
Compliance
This standard shall take effect upon publication. Compliance with all enterprise policies and standards is expected, and policies and standards may be amended at any time.
If compliance with this standard is not feasible or technically possible, or if deviation from this standard is necessary to support a business function, entities shall request an exception through the Information Security Officer’s exception process.
Related Documents
1 TAC § 202.74 (a)(2)
Common Vulnerability Scoring System
National Vulnerability Database
Texas Security Controls Standards Catalog Control Group: CM-6, RA-5, SA-5, SA-10
NIST Function Groups: DE.CM-1, PR.DS-1, PR.DS-2, PR.IP-4