Connor Group Information Security

 

Security Patching

Jan 2024

 

v.1.2

Introduction

Software and hardware patching exists as a means to modify existing computer systems and applications with updates designed to fix issues identified in performance, functionality, and security. Patching is an essential component of keeping software and firmware functional and protected from identified security vulnerabilities. This standard codifies expectations for security patching computer systems managed by Connor Group IT and exists as one in a set of documents which together, form Connor Group's Information Security Management System (ISMS). 

 

Purpose

The purpose of this Standard is to ensure:  

  • There are processes in place for the ongoing review and application of security patches.  
  • Business data and Services are protected from security attacks. 
  • Connor Group has assurance that IT (Information Technology) Systems are being maintained in appropriate fashion. 

 

Scope

This Standard applies to IT systems managed or accessed by Connor Group, including both physical and virtual desktops, laptops, servers, handhelds, and third-party systems utilized by CG employees for business purposes. 

 

This Standard defines the term “IT Systems” in-scope to include: 

  • Applications (e.g., Outlook, Slack, Adobe, Java)
  • Operating Systems (e.g., Linux/Solaris/Windows)
  • Network Devices (e.g., Switches/Routers/Firewalls)
  • Servers, both physical and virtual 
  • Desktop Systems, both physical and virtual 
  • Storage Solutions (e.g. File servers, NAS)
  • Removable Media (e.g. MicroSD cards, USB drives)

 

This Standard defines the term “IT Systems” out-of-scope to exclude:

  • Smartphones (e.g., iPhones, Androids, etc.)
  • Tablets (e.g., iPads)

 

All staff and Third Parties responsible for the management of IT Systems must understand and follow the requirements herein. 

 

In the event of uncertainty regarding the applicability of this Standard, contact Information Security for clarification and/or guidance at [email protected].  

 

Definitions

References for terminologies or acronyms used within Information Security Standards can be accessed within the Glossary of Definitions (https://bookstack.soldenservices.com/books/policies-processes-procedures/page/glossary-of-definitions)

 

Standard

Adherence to requirements in this standard is mandatory.

 


 

 

1. Security Patch Notification and Review

 

Ref

Requirement

1.1 

Connor Group Information Security shall determine the software and systems subject to security patching. 

1.2 

Appropriate processes and tools for discovery of information assets shall be in place to identify any new assets in scope for security patching. 

1.3 

An asset register or inventory shall be maintained by IT and accessible by Information Security for audit. 

1.4 

Connor Group will monitor for the release of new security patches on an ongoing basis through various channels such as published notification services and vendor updates. 

1.5 

Once alerted to a new patch applicable to production systems, Connor Group IT will review the new patch within 96 hours of release. 

1.6 

All security patch releases will follow a defined process that includes assessment, testing, scheduling, installation, and verification. 

1.7 

Connor Group will conduct a threat and vulnerability assessment to evaluate the criticality of a security patch and provide a risk rating, based on the vendor’s rating and an independent assessment performed in line with Connor Group’s Risk Management Standard. 

1.8 

Consideration will be given to the risk of installing the patch compared to any risk posed by the associated vulnerability and alternative controls that may be implemented to reduce the risk. 

1.9 

Patches will be categorized as follows to (using the NVD CVSS scoring framework): 

 

               I. Critical – Where the risk ranking is recorded as 9 and above (also known as                             emergency); 

 

              II. Moderate – Where the risk ranking is recorded as 4-8; 

 

              III. Low – Where the risk ranking is recorded as 3 or below; and 

 

              IV. N/A – Not applicable to Connor Group’s environment. 

1.10 

Maintenance windows for the application of security patches for production systems or services will be provided by the System owners on a 3 month rolling basis, at minimum. 

1.11 

Where security patching resolves issues identified as part of the routine vulnerability scanning or penetration testing, security patching of Vulnerable Systems shall be governed by this Standard. 

1.12 

Where it is not possible to apply security patches for Vulnerable Systems, regular reviews of vulnerabilities, as recommended by the Vulnerability Management Standard, shall be conducted considering: 

 

              I. Formal acceptance of the risk; 

 

              II. Application of other controls to address identified vulnerabilities; 

 

              III. Upgrading the System to a level supported by the manufacturer; or 

 

              IV. Decommissioning of the System. 

1.13 

Patches will undergo testing before implementation. Connor Group Information Security will expedite testing for critical patches as necessary. 

1.14 

In exceptional cases where a critical security patch poses an imminent threat to the Network, deployment may proceed without testing but not without approval from the CIO or a designated surrogate. 

1.15 

Connor Group IT will obtain authorization for implementing security patches through the appropriate change mechanisms. 

1.16 

Where technically feasible, in the event of critical security patches where full formal testing of the patch prior to release is not possible, security patches will be deployed to a group of 10 or fewer devices to ensure system stability. Where possible, this deployment will occur in test or development environments. 

 

2. Patch Deployment 

 

Ref

Requirement

2.1 

All Critical security patch deployments will be coordinated through Information Security for validation of vulnerability remediation. 

2.2 

The appropriate timings for security patch deployment within the different Connor Group environments shall be agreed upon between Information Security and Information Technology. 

 

1. Patches classified as Critical shall have a patch or remediation plan approved within 7 business days of patch classification. 

 

2. Patches classified as Moderate shall have a patch or remediation plan approved within 30 business days of patch classification. 

 

3. Patches classified as Low shall have a patch or remediation plan approved within 60 business days of patch classification. 

2.3 

The appropriate frequency for security patch deployment for different application software, operating System and device firmware shall be dictated based on business criticality and patch classification. 

2.4 

Where possible, a centralized patch management solution for the deployment, management and reporting of security patching shall be utilized. 

2.5 

Connor Group patching expectations (patch deployment rates and thresholds) and reporting requirements will be set by the Information Technology and Security groups. 

2.6 

Procedures shall exist for confirming success of patch deployments. Supporting processes shall exist to take appropriate action where patch installations have not successfully deployed.

2.7 

Once a patch has been deployed affected systems shall be observed for irregular activity. Where patch deployment has an adverse effect on any Connor Group system, a back-out plan will be utilized as part of the troubleshooting process. 

2.8 

Where security patching is conducted on systems not managed by Connor Group but utilized by Connor Group employees or contractors, Connor Group Information Security team shall seek assurance that patching is being conducted in a timely, methodical, and controlled manner. 

 

Compliance

Information Security team shall verify compliance to this policy through various methods, including but not limited to, walk-throughs, environment sampling, process review, monitoring, business tool reports, internal and external audits, and through feedback to the policy owner. 

 

Any exceptions to this Standard require a formally approved exemption documenting justification and approval against compliance to this Standard. Exemption approvals are required prior to systems entering live operations or remaining online after the remediation plan grace period has expired.

 

The following are required to adhere to this Standard, except where a formal exception has been granted as above: 

  • All Connor Group Systems and employees, independent contractors, and subcontractors. Any individual found to have violated this Standard may be subject to disciplinary actions including termination and legal recourse. 
  • Any Third-Party System that is used to support Connor Group data and/or Services. Any Third Party that violates this Standard will be considered to have breached their contract with the Connor Group.

 

Revision History

Revisions require approval by the Director of Information Security and dissemination to applicable business units prior to release.

 

Version 

Detail 

Author 

Date 

1.1

Formatting revised with requirements under Standards enumerated for easier reference.

Connor Group Information Security

May 2021

1.2

Annual review with minor updates for clarity

Connor Group Information Security

Jan 2024