Cyber Essentials Patch Management Explained
No matter which phones, tablets, laptops or computers your organisation is using, it’s important they are kept up to date at all times. This is true for both Operating Systems and installed apps or software. Happily, doing so is quick, easy, and free.
Also known as ‘Patching’
Manufacturers and developers release regular updates which not only add new features, but also fix any security vulnerabilities that have been discovered.
Applying these updates (a process known as patching) is one of the most important things you can do to improve security. Operating systems, software, devices and apps should all be set to ‘automatically update’ wherever this is an option. This way, you will be protected as soon as the update is released.
However, all IT has a limited lifespan. When new updates cease to appear for your hardware or software, you should consider a modern replacement.
Patch Management What Cyber Essentials Requires
Applies to: web, email and application servers; desktop computers; laptop computers; tablets; mobile phones; firewalls; routers.
Ensure that devices and software are not vulnerable to known security issues for which fixes are available.
Any device that runs software can contain security flaws, known as ‘vulnerabilities’.
Vulnerabilities are regularly discovered in all sorts of software. Once discovered, malicious individuals or groups move quickly to misuse (or ‘exploit’) vulnerabilities to attack computers and networks in organisations with these weaknesses.
Product vendors do not generally release patches for products they no longer support — not even to fix vulnerabilities.
Product vendors provide fixes for vulnerabilities identified in products that they still support, in the form of software updates known as 'patches'. Patches may be made available to customers immediately or on a regular release schedule (perhaps monthly).
Requirements under this technical control theme
The Applicant must keep all its software up to date. Software must be:
- licensed and supported
- removed from devices when no longer supported
- patched within 14 days of an update being released, where the patch fixes a vulnerability with a severity the product vendor describes as 'critical' or 'high risk'*
Some vendors release patches for multiple issues with differing severity levels as a single update. If such an update covers any 'critical' or 'high risk' issues, then it must be installed within 14 days.
*If the vendor uses different terms to describe the severity of vulnerabilities, see the precise definition in the Common Vulnerability Scoring System (CVSS).
For the purposes of the Cyber Essentials scheme, 'critical' or 'high risk' vulnerabilities are those with the following values:
· attack vector: network only
· attack complexity: low only
· privileges required: none only
· user interaction: none only
· exploit code maturity: functional or high
· report confidence: confirmed or high