+OPS-27 Managing Vulnerabilities - Patch Management Policies and Procedures
---+OPS-27.01B
---+OPS-27.02B
---+OPS-27.03B
---+OPS-27.04B
---+OPS-27.03AS
|
1. Übersicht
OPS-27 Managing Vulnerabilities - Patch Management Policies and Procedures
-
| Bezeichnung |
Standard |
|
OPS-27.01B
|
Policies and procedures with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure system components under the responsibility of the cloud service provider are patched within a suitable time frame depending on contractual agreements and identified vulnerabilities or exploits. These policies and procedures contain specifications regarding the following aspects:
1. Software is kept up-to-date, including timely deployment of security patches;
2. Patches are scheduled within maintenance windows, where applicable, to minimise service disruption; and
3. Patches are tested in non-production environments before they are rolled out into the production environment, provided testing was successful. Mechanisms are in place to revert to previous software versions in case of unexpected issues.
Patches are defined as software updates to systems components with the goal of increasing security by addressing issues, vulnerabilities or exploits.
What constitutes as timely in the sense of this subcriterion depends on the criticality of the patched issue, vulnerability or exploit.
|
|
OPS-27.02B
|
Patch management procedures are harmonised with the cloud service provider's overall software change management process (cf. DEV-03).
Patches are defined as software updates to systems components with the goal of increasing security by addressing issues, vulnerabilities or exploits.
|
|
OPS-27.03B
|
According to the measures and procedures of the overall change management, patches provided by third parties are identified, tested and deployed.
Patches are defined as software updates to systems components with the goal of increasing security by addressing issues, vulnerabilities or exploits.
|
|
OPS-27.04B
|
Systems are scanned after application of patches to ensure vulnerabilities and exploits are remediated and no known or unmitigated vulnerabilities or exploits were deployed.
Patches are defined as software updates to systems components with the goal of increasing security by addressing issues, vulnerabilities or exploits.
The scans performed after the application of a patch can, but do not have to be, restricted to the system components to which the patch was applied.
|
|
OPS-27.03AS
|
According to the measures and procedures of the overall change management, patches provided by third parties are identified, tested and deployed in an automated manner. In case of patches where manual intervention is required, an exception handling process for manual patching is defined.
Patches are defined as software updates to systems components with the goal of increasing security by addressing issues, vulnerabilities or exploits.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|