Software patches are defined in this document as program modifications involving externally developed software. Patch management standards should include procedures (similar to the routine modification standards described above) for identifying, evaluating, approving, testing, installing, and documenting patches.
Vendors frequently develop and issue patches to correct software problems, improve performance, and enhance security. Organizations should have procedures in place to identify available patches and to acquire them from trusted sources. Procedures for identifying software vulnerabilities and patch information include subscribing to patch-alert e-mail lists and monitoring vendor and security related websites. Management should regularly obtain bulletins about product enhancements and security issues as well as available patches and upgrades from its vendors or other trusted information security sources.
When an available patch is identified, management should evaluate the impact of installing the patch by assessing technical, business, and security implications. If management identifies a significant patch but decides not to install it, they should document their reasons for not installing it.
In order to minimize operational disruptions, management should test all patches prior to implementation. Additionally, management should appropriately backup files and programs and have established back-out procedures in place before implementation.
As with all software modifications, appropriate backup and back-out procedures, post-implementation evaluations, detailed documentation, and established implementation plans enhance management's ability to effectively control patch activities.
Note: The installation of software patches may reset security settings or configuration parameters to default settings. Management should review all settings and parameters after patches are applied to ensure the settings conform to approved policies and procedures.