Policy
Policy Name
Software Maintenance Policy

Overview
Software must be maintained to meet security requirements. Maintenance processes include patch management and configuration of software to ensure software is free of vulnerabilities. One of the most common threats is unpatched software that can be exploited by malicious users to gain unauthorized access to vulnerable systems, applications and eventually sensitive data.

Statement
  • Vulnerability scans must be performed to identify software and system vulnerabilities that will need to be patched and remediated. Frequency of scans shall be no less than every 30 days.
  • Software must be patched and securely configured in a timely manner to address known vulnerabilities and threats.
  • Software patches must be tested in non-production to ensure patches will not impact system/application availability in production.
  • Vulnerabilities must be classified by severity or risk (e.g. critical or high risk).
  • Ensure patches are deployed using a risk-based approach to meet established software maintenance procedures (e.g. critical patches must be deployed within 30 days after vendor patch release).
  • There must be an agreement in place from business on pre-defined maintenance windows to deploy patches, OS upgrades or other software maintenance activities to maintain security and availability.

Justification

The following benefits will be achieved:

  • Ensure software is free of vulnerabilities
  • Reduced likelihood of threats to exploit known vulnerabilities
  • Protection of sensitive information

Scope
All employees, contractors, agents and third-parties

Consequeces for Noncompliance
Noncompliance to this policy can result in disciplinary action up to and including termination of employment or contract.

Topics
Vulnerability Management
Application Security