CHNG-07

Do you have policy and procedure, currently implemented, managing how critical patches are applied to all systems and applications?

Explanation

This question is asking whether your organization has a formal, documented policy and procedure for managing critical security patches, and importantly, whether this policy is actually being implemented (not just written down somewhere). A patch management policy defines how your organization identifies, evaluates, tests, approves, and deploys security patches to systems and applications. Critical patches are those that address significant security vulnerabilities that could be exploited to compromise systems. This question is being asked in a security assessment because unpatched systems are one of the most common attack vectors. When vulnerabilities are discovered in software, vendors release patches to fix them. If these patches aren't applied promptly, especially critical ones, attackers can exploit known vulnerabilities to gain unauthorized access, steal data, or disrupt services. A formal patch management process helps ensure that critical security updates aren't missed or delayed. To best answer this question, you should: 1. Confirm whether you have a documented patch management policy 2. Explain your patch management procedures, particularly for critical patches 3. Describe how you identify which patches are critical 4. Mention your typical timeframes for deploying critical patches 5. Note any tools or systems you use to manage and deploy patches 6. Explain how you verify that patches have been successfully applied 7. Describe any exceptions process for systems that cannot be immediately patched

Example Responses

Example Response 1

Yes, we have a comprehensive Patch Management Policy and associated procedures that are fully implemented across our organization Critical patches are identified through our vulnerability management program, which monitors vendor security bulletins and third-party security advisories Our Security team evaluates and classifies patches based on CVSS scores and business impact, with scores of 8.0+ considered critical Critical patches must be tested and deployed within 72 hours of release We use Microsoft SCCM for Windows systems and Ansible for Linux environments to automate patch deployment Our policy includes emergency patch procedures for zero-day vulnerabilities, which can be deployed outside the standard change management process with appropriate approvals Compliance with patch deployment is monitored through our vulnerability scanning program, with weekly reports to IT management and monthly metrics to executive leadership.

Example Response 2

Yes, we maintain and actively implement a Patch Management Policy that specifically addresses critical security patches Our Security Operations Center monitors the National Vulnerability Database and vendor announcements daily to identify new vulnerabilities affecting our environment Patches addressing vulnerabilities with CVSS scores of 9.0 or higher, or those specifically targeting our industry, are classified as critical Our policy mandates that critical patches undergo expedited testing in our QA environment and must be deployed to production within 48 hours of successful testing We use Ivanti Security Controls to manage and deploy patches across our infrastructure For systems that cannot be immediately patched due to business constraints, we implement compensating controls and document exceptions that require CIO approval Patch compliance is verified through automated scanning and manual checks, with results reported to our Risk Committee monthly.

Example Response 3

No, we do not currently have a formal policy for managing critical patches Our approach to patching is ad-hoc, with individual system administrators responsible for keeping their systems updated We generally try to apply important security patches when we become aware of them, but we don't have a systematic process for identifying critical patches or timeframes for deployment We recognize this is a gap in our security program and are in the process of developing a formal patch management policy and implementing tools to better manage this process In the interim, we perform quarterly vulnerability scans to identify missing patches and address them reactively.

Context

Tab
Organization
Category
Change Management

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron