Monitoring

MIS need to monitor security mailing lists, review vendor notifications and Web sites, and research specific public Web sites for the release of new patches. Monitoring will include, but not be limited to, the following:
• Scanning network to identify known vulnerabilities.
• Identifying and communicating identified vulnerabilities and/or security breaches to chief information security officer (CISO) and CIO.
• Monitoring CERT/Microsoft/Symantec/cybersecurity, notifications, and Web sites of all vendors that have hardware or software operating on network.
Review and evaluation
Once alerted to a new patch, MIS will download and review the new patch within four hours of its release. MIS will categorize the criticality of the patch according to the following:
• Emergency -- an imminent threat to network
• Critical -- targets a security vulnerability
• Not Critical -- a standard patch release update
• Not applicable environment
Regardless of platform or criticality, all patch releases will follow a defined process for patch deployment that includes assessing the risk, testing, scheduling, installing, and verifying.
Risk assessment and testing
MIS will assess the effect of a patch to the corporate infrastructure prior to its deployment. The department will also assess the affected patch for criticality relevant to each platform (e.g., servers, desktops, printers, etc.).
If MIS categorizes a patch as an Emergency, the department considers it an imminent threat to network / system. Therefore, assumes greater risk by not implementing the patch than waiting to test it before implementing.
Patches deemed Critical or Not Critical will undergo testing for each affected platform before release for implementation. MIS will expedite testing for critical patches. The department must complete validation against all images (e.g., Windows, UNIX, etc.) prior to implementation.
Notification and scheduling
MIS' management must approve the schedule prior to implementation. Regardless of criticality, each patch release requires the creation and approval of a request for technical change (RTC) prior to releasing the patch. CISO will decide when notifying staff is necessary.
Implementation MIS will deploy Emergency patches within eight hours of availability. As Emergency patches pose an imminent threat to the network, the release may proceed testing. In all instances, the department will perform testing (either pre- or post-implementation) and document it for auditing and tracking purposes.
For new network devices, each platform will follow established hardening procedures to ensure the installation of the most recent patches.
Auditing, assessment, and verification
Following the release of all patches, MIS staff will verify the successful installation of the patch and that there have been no adverse effects.
User responsibilities and practices
It is the responsibility of each user -- both individually and within the organization -- to ensure prudent and responsible use of computing and network resources.