mobile-logo

Previous

< Password Security Policy

Resources / Security Policy Templates / Patch Management

Patch Management Security Policy Template

Sample Patch Management
Policy Template

 

Learn how PurpleSec’s experts can help develop your organization’s cyber security policies.

Author: Rich Selvidge, CISSP / Last Updated: 5/22/22

Reviewed ByMichael Swanagan, CISSP, CISA, CISM

View OurEditorial Process

Overview

 

Patch Management at {COMPANY-NAME} is required to mitigate risk to the confidential data and the integrity of {COMPANY-NAME}’s systems.

 

Patch management is an effective tool used to protect against vulnerabilities, a process that must be done routinely, and should be as all-encompassing as possible to be most effective.

 

{COMPANY-NAME} must prioritize its assets and protect the most critical ones first; however, it is important to ensure patching takes place on all machines.

 

Read More: Building A Vulnerability Management Program

Download Template

Purpose

 

Security vulnerabilities are inherent in computing systems and applications. These flaws allow the development and propagation of malicious software, which can disrupt normal business operations, in addition to placing {COMPANY-NAME} at risk. In order to effectively mitigate this risk, software “patches” are made available to remove a given security vulnerability.

 

cyber security policy templates for 2023

 

Given the number of computer workstations and servers that comprise the {COMPANY-NAME} network, it is necessary to utilize a comprehensive patch management solution that can effectively distribute security patches when they are made available. Effective security is a team effort involving the participation and support of every {COMPANY-NAME} employee and the Board of Directors.

 

This policy is to assist in providing direction, establishing goals, enforcing governance, and to outline compliance.

 

Audience

 

This policy applies to all employees, contractors, consultants, temporaries, and the Board of Directors at {COMPANY-NAME}. This policy applies to all equipment that is owned or leased by {COMPANY-NAME}, such as, all electronic devices, servers, application software, computers, peripherals, routers, and switches.

 

Adherence to this policy is mandatory.

 

Policy Detail

 

Many computer operating systems, such as Microsoft Windows, Linux, and others, include software application programs which may contain security flaws.

 

Occasionally, one of those flaws permits a hacker to compromise a computer. A compromised computer threatens the integrity of the {COMPANY-NAME} network, and all computers connected to it. Almost all operating systems and many software applications have periodic security patches, released by the vendor, that need to be applied.

 

Patches, which are security related or critical in nature, should be installed as soon as possible.

 

  • In the event that a critical or security related patch cannot be centrally deployed by IT, it must be installed in a timely manner using the best resources available.
  • Failure to properly configure new workstations is a violation of this policy. Disabling, circumventing, or tampering with patch management protections and/or software constitutes a violation of policy.

 

Automated patch management services

 

Responsibility

 

The VP of IT is responsible for providing a secure network environment for {COMPANY-NAME}. It is {COMPANY-NAME}’s policy to ensure all computer devices (including servers, desktops, printers, etc.) connected to {COMPANY-NAME}’s network, have the most recent operating system, security, and application patches installed.

 

Every user, both individually and within the organization, is responsible for ensuring prudent and responsible use of computing and network resources.

 

IT is responsible for ensuring all known and reasonable defenses are in place to reduce network vulnerabilities while keeping the network operating.

 

IT Management and Administrators are responsible for monitoring security mailing lists, reviewing vendor notifications and Web sites, and researching specific public Web sites for the release of new patches.

 

Monitoring will include, but not be limited to:

 

  • Scheduled third party scanning of {COMPANY-NAME}’s network to identify known vulnerabilities
  • Identifying and communicating identified vulnerabilities and/or security breaches to {COMPANY-NAME}’s VP of IT
  • Monitoring Computer Emergency Readiness Team (CERT), notifications, and Web sites of all vendors that have hardware or software operating on {COMPANY-NAME}’s network

 

The IT Security and System Administrators are responsible for maintaining accuracy of patching procedures which detail the what, where, when, and how to eliminate confusion, establish routine, provide guidance, and enable practices to be auditable.

 

Documenting the implementation details provides the specifics of the patching process, which includes specific systems or groups of systems and the timeframes associated with patching.

 

Once alerted to a new patch, IT Administrators will download and review the new patch. The patch will be categorized by criticality to assess the impact and determine the installation schedule.

Previous

Password Security Policy

Next

Physical Access Control Policy

Explore Our Security Services

penetration testing services - purplesec

Penetration Testing

Learn More >

vulnerability patch management services - purplesec

Patch Management

Learn More >

security gap assessment services - purplesec

GAP Assessments

Learn More >

managed it security services - purplesec

Managed IT Security

Learn More >