How do you manage patching for your infrastructure? What are your SLAs based on vulnerability severity?

Explanation & Context

Understanding the Question

This question is asking about your organization's process for updating and securing its infrastructure through patching. Patching involves applying updates or fixes to software and systems to address known vulnerabilities and improve security. The question also asks about your Service Level Agreements (SLAs) for patching, which are commitments to apply patches within specific timeframes based on the severity of the vulnerability. Severity levels typically include critical, high, medium, and low, with critical vulnerabilities requiring the fastest response.

Why It Matters

Effective patch management is crucial for maintaining the security and stability of your infrastructure. Vulnerabilities can be exploited by attackers to gain unauthorized access, cause disruptions, or steal data. By establishing clear SLAs for patching based on vulnerability severity, you ensure that the most critical security issues are addressed promptly, reducing the risk of a breach. This demonstrates to stakeholders that your organization is proactive in managing security risks and maintaining a secure environment.

Example of Evidence

To demonstrate fulfillment of this question, you might provide documentation of your patch management policy, which outlines the procedures for identifying, testing, and applying patches. Additionally, you could share reports or dashboards that show patch application timelines based on vulnerability severity, illustrating how your organization meets its SLAs. For instance, you might show that all critical vulnerabilities are patched within 48 hours, high severity within a week, and medium and low severity within a month.

Example Responses

Example Response 1

We manage patching for our infrastructure through the PaaS provider, which automatically applies security updates and patches. Our SLAs are based on the provider's vulnerability severity ratings, ensuring that critical vulnerabilities are addressed within 24 hours.

Example Response 2

Our patch management process involves a dedicated team that monitors vulnerability databases and applies patches to our AWS infrastructure. We have established SLAs where critical vulnerabilities are patched within 48 hours, high severity within a week, and medium and low severity within a month.

Example Response 3

As our software is deployed on-premises and does not rely on cloud infrastructure, the question regarding patching SLAs based on vulnerability severity is not directly applicable to our environment. However, we do conduct regular security assessments and apply patches as needed to maintain the security of our systems.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron