22.9.1 Patch Management
The purpose of this Policy is to create an environment for the effective and efficient deployment of critical security patches to all hardware devices and software used in the Group’s networks to prevent exploitation of vulnerabilities in software and electronic systems.
Patch is a change applied to an asset to correct the weakness described by the vulnerability. This is to prevent successful exploitation and remove or mitigate a threat’s capability to exploit a specific vulnerability. Critical security patches are patches for vulnerabilities, which have been seen actively, used and present a real danger of compromise. Failure to apply these patches can result in a hacked system and a loss of data or personal information within the foreseeable future.
22.9.2 Policy
a) Notifications of patches from vendors are to be reviewed, tested and the patches applied as appropriate.
b) Critical security patches must be installed across systems and devices.
c) Critical security patches are to be installed within a specified period from notification when they are available.
d) Computer support staff (IT, device, network, software, system administrators/engineers) are to participate in reporting and confirming patch compliance of their systems and taking prompt remedial action when systems or devices under their care have not been patched.
e) When perceived risk warrants such actions, devices which have not been patched may have their access to information and network resources temporarily suspended, blocked or restricted.
f) The system administrator must verify the configuration baselines after patching.