Patch Management Policy
This policy applies to all IT infrastructure hosted on Microsoft Azure, including virtual machines, web apps, databases, containers, and other services that require regular patching. This policy covers the patches provided by Microsoft and those offered by third-party vendors for the software and applications running on Azure.
Introduction
Patch management involves applying updates to software and systems to fix security vulnerabilities, improve functionality, or enhance performance. It is critical to maintaining the security and availability of IT infrastructure and services.
This document defines the standards and process for patch management for the organization's IT assets hosted on the Microsoft Azure cloud platform. The document covers the following aspects of patch management:
- Patch management roles and responsibilities
- Patch management scope and frequency
- Patch management workflow and approval
- Patch management reporting and auditing
Patch Management Roles and Responsibilities
The following roles and responsibilities are defined for patch management:
- The IT security team is responsible for monitoring and identifying the security patches applicable to the organization's IT assets on Azure. The team is also responsible for assessing the patches' risks and impacts and prioritising them accordingly.
- The IT operations team is responsible for testing and deploying the patches to the IT assets on Azure. The IT operations team is also responsible for ensuring the availability and functionality of the IT assets after patching.
- The IT governance team is responsible for defining and enforcing patch management policies and standards and reviewing and approving patch management plans and reports.
- The business owners are responsible for providing the business impact and requirements for the IT assets on Azure and for approving the patching schedule and downtime.
Although we acknowledge the necessity of role segregation to fulfil specific responsibilities, as a small to medium-sized enterprise, some individuals may hold multiple roles outlined above due to our organisational size and structure.
Patch Management Scope and Frequency
The scope of patch management includes all IT assets hosted on Azure, such as virtual machines, databases, web apps, storage accounts, etc. It excludes the IT assets managed by Microsoft, such as Azure Active Directory and Office 365.
The frequency of patch management depends on the patch type, severity, and risk. The following patch categories and frequencies are defined:
- Critical patches address high-risk security vulnerabilities that can be exploited remotely or cause significant damage. They should be applied immediately, preferably within 24 hours of release. Microsoft identifies critical patches with a severity rating of Critical or Important and a CVSS score of 7.0 or higher.
- Important patches address medium-risk security vulnerabilities that can be exploited locally or cause moderate damage. They should be applied within seven days of release. Microsoft identifies important patches with a severity rating of Important or Moderate and a CVSS score of 4.0 or higher.
- Moderate patches: These are patches that address low-risk security vulnerabilities that can be exploited with difficulty or cause minor damage. Moderate patches should be applied within 30 days of release. Microsoft identifies moderate patches as having a severity rating of Moderate or Low and a CVSS score of 3.9 or lower.
- Optional patches: These are patches that address non-security issues, such as functionality, performance, or compatibility. They should be applied based on the business needs and requirements. Microsoft identifies optional patches with a severity rating of None or Unspecified and no CVSS score.
Patch Management Workflow and Approval
The following workflow and approval process is defined for patch management:
- The IT security team monitors and identifies the patches that apply to the IT assets on Azure and notifies the IT operations team and the business owners. The IT security team uses the Microsoft Security Update Guide and the Azure Security Center as the primary patch information and guidance sources.
- The IT operations team tests the patches in a non-production environment and assesses the technical impact and feasibility of the patches. The IT operations team uses the Azure Update Management and the Azure Automation services as the primary tools for patch testing and deployment.
- The IT security and operations teams jointly prepare a patch management plan that includes the patch details, priority, schedule, downtime, rollback, and communication. The plan should follow Microsoft's best practices and recommendations and adhere to the organisation's patch management policies and standards.
- The IT governance team reviews and approves the patch management plan and ensures it complies with the patch management policies and standards. The IT governance team uses the Azure Policy and the Azure Blueprints services as the primary policy definition and enforcement tools.
- The business owners review and approve the patch management plan and ensure it meets the business needs and requirements. They should also consider the patch's business impact, risk, patching schedule, and downtime.
- The IT operations team deploys the patches to the IT assets on Azure according to the patch management plan and monitors the patching process and outcome. The team uses the Azure Update Management and Azure Automation services as the primary patch deployment and monitoring tools.
- The IT security team verifies and validates the patching status and results and updates the patch inventory and documentation. The team uses the Azure Security Center and the Azure Defender services as its primary patch verification and validation tools.
- The IT operations and security teams prepare a patch management report that includes the patch summary, results, issues, and lessons learned. The report should follow Microsoft's best practices and recommendations and adhere to the organisation's patch management policies and standards.
- The IT governance team reviews and approves the patch management report and ensures it complies with the patch management policies and standards. The team uses the Azure Policy and Azure Blueprints services as the primary tools for policy review and approval.
- The IT operations and security teams communicate the patch management report and feedback to the business owners and other stakeholders. They use the Azure Monitor and the Azure Service Health services as their primary tools for patch communication and feedback.
Patch Management Reporting and Auditing
The following reporting and auditing requirements are defined for patch management:
- The IT operations and security teams should maintain a patch inventory that records the patch details, status, and history for each IT asset on Azure. The patch inventory should include the patch name, description, type, severity, CVSS score, release date, installation date, status, and history. The patch inventory should be updated regularly and stored securely.
- The IT operations and security teams should generate a patch management report for each patch cycle that summarises the patch details, results, issues, and lessons learned. The report should include the patch name, description, type, severity, CVSS score, release date, installation date, status, result, issue, and lesson learned. It should be generated in a timely manner and shared appropriately.
- The IT governance team should review and approve the patch inventory and the patch management report and ensure they comply with the patch management policies and standards. The team should use the Azure Policy and Azure Blueprints services as the primary tools for policy review and approval.
- The IT governance team should conduct periodic audits and reviews of the patch management process and performance and identify the gaps and areas for improvement. The IT governance team should use the Azure Security Benchmark and Azure Advisor services as the primary patch audit and review tools.
- The IT governance team should report the patch management audit and review findings and recommendations to senior management and other stakeholders. The team should use the Azure Monitor and the Azure Service Health services as the primary tools for patch reporting and feedback.
Timetabling Solutions ISMS Mapping with Industry Standards
Within the ISO/IEC 27001 framework, the specific requirement related to patch management typically falls under the following clauses:
A.12.6.1 - Management of Technical Vulnerabilities: This clause requires organisations to manage technical vulnerabilities of information systems using processes for identifying, assessing, and mitigating the associated risks. Patch management is one of the key activities to address technical vulnerabilities.
A.14.2.1—Secure Development Policy: While this clause primarily focuses on secure software development practices, it indirectly emphasizes the importance of addressing security vulnerabilities, including through timely software patching.
A.18.1.3 - Protection of Information Systems: This clause emphasises the need to protect information systems from malware and requires organisations to have processes for ensuring the timely application of security patches.
A.18.2.2 - Information Security Incident Management: This clause requires organisations to have procedures for detecting, reporting, and responding to information security incidents, which may include incidents related to unpatched vulnerabilities.
Policy Review
This patch management policy will be reviewed annually or as needed to incorporate updates from Microsoft Azure policies, emerging threats, and changes in regulatory requirements.