System Update Policy
This policy is an internal IT policy which defines how often computer system updates are done and under what conditions they are done.
This policy is required to establish a minimum process for protecting the organizational computers on the network from security vulnerabilities. This policy shall determine how updates are done for both servers and workstations, and who is responsible for performing the updates along with specifying the tools used to perform system updates.
3.0 Update Requirement Determination
This section defines methods used to determine what updates should be done and when they should be applied.
3.1 Update Types
Several types of updates may be required on any computer and all the types should be considered for the below listed computer system components. They include:
- The computer BIOS.
- The operating system.
- Application updates.
3.2 Update Checking
There are several methods to determine when updates should be performed.
- Review of posted security flaws and patches for each type of update applicable to the computer system.
- An automatic scanning of the system to determine available updates not yet applied to the system or application.
The review of posted security flaws and patches should always be used for the computer operating system, BIOS, and applications. The manufacturer website should be used and there may also be other appropriate sites posting relevant bulletins. If an automatic update ability is available, it should be compared to the listing of posted updates to be sure it is accurate.
3.3 Update Vulnerability Types
The update considerations should address vulnerabilities caused by:
- Code errors
- Misconfigurations not covered by patches - An example would be a configuration problem with a mail server allowing non authenticated users to relay email using the mail server.