Vulnerability Management & Patching

Organizations should ensure Operating System (OS) and application levels are current. This is necessary to ensure vulnerabilities are patched.  Additionally, a Vulnerability Management (VM) & Patching program should be executed to ensure vulnerability scans are performed and system patches are applied on a timely basis.

Control Objective

  • Policy is documented, approved, followed, reviewed, and updated regularly
  • Scans to be performed prior to & following production launch
  • Systems must be patched regularly to ensure current OS and application levels
  • Vulnerability assessments are regularly conducted as part of a program and vulnerabilities must be rated according to criticality
  • High and critical vulnerabilities must be remediated through patching, decommission, or compensating controls

Resources

OCIO Patch Standard (DOCX)