PR.PS-02.241

Does your organization implement and adhere to defined timeframes for routine and emergency patching as specified in your vulnerability management plan?

Explanation

This question assesses whether your organization has established clear timeframes for applying security patches and consistently follows these schedules based on patch criticality. Effective patch management requires differentiating between routine updates that can follow regular maintenance windows and emergency patches that address critical vulnerabilities requiring immediate attention. Evidence could include your vulnerability management plan with clearly defined patching timeframes, patch deployment reports showing adherence to these timeframes, change management records documenting patch implementations, and metrics showing the percentage of systems patched within target timeframes for both routine and emergency scenarios.

Implementation Example

Perform routine and emergency patching within the timeframes specified in the vulnerability management plan

ID: PR.PS-02.241

Context

Function: PR: PROTECT
Category: PR.PS: Platform Security
Sub-Category: Software is maintained, replaced, and removed commensurate with risk

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub