Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
o The individuals to be notified.<br />
o The individuals to provide the notification.<br />
o The milestones at which notification will occur.<br />
o The method through which notification will occur (i.e.,<br />
telephone and number, e-mail and address).<br />
6.3.2. Perform Patch and Vulnerability Management<br />
Agencies should perform patch and vulnerability management to minimize the<br />
number <strong>of</strong> incidents to which a response may be required by mitigating<br />
vulnerabilities before they can be exploited.<br />
6.3.2.a Identify Patch Monitoring Sources<br />
• System solution vendor websites.<br />
• Security solution vendor websites.<br />
• Third party mailing lists and notification services.<br />
• Vulnerability scanning tools.<br />
• Patch management tools.<br />
6.3.2.b Patch Monitoring Frequency<br />
• Monitoring for patches should be performed in accordance<br />
with the risk categorization <strong>of</strong> the system:<br />
o Patches for very high and high risk systems should be<br />
monitored for on a weekly basis.<br />
o Patches for medium risk systems should be monitored<br />
for on a monthly basis.<br />
o Patches for very low and low risk systems should be<br />
monitored for on a quarterly basis.<br />
6.3.2.c Remediation Prioritization Scheme<br />
• Determine which systems are affected by threats or<br />
vulnerabilities, giving prioritization preference to those that<br />
are deemed to have a higher level <strong>of</strong> criticality.<br />
• Determine which threats or vulnerabilities have the greatest<br />
potential for causing a system impact giving prioritization<br />
preference to those that have a higher likelihood <strong>of</strong> causing an<br />
impact.<br />
• Determine which threats or vulnerabilities have the greatest<br />
potential <strong>of</strong> spreading to other systems within the<br />
organization giving prioritization preference to those that<br />
have a higher likelihood <strong>of</strong> spreading.<br />
• Determine which threats or vulnerabilities have the potential<br />
for causing the greatest amount <strong>of</strong> damage giving<br />
prioritization preference to those that have a cause a greater<br />
amount <strong>of</strong> harm.<br />
19