Question: Are systems patched and updated in a timely, verifiable, and documented manner?
-
Objective — Why This Matters
Unpatched systems remain a primary breach vector. Timely patching reduces exposure and demonstrates operational discipline. -
Maturity Levels (0 – 5)
No patch policy; ad-hoc updates.
Manual patching; no tracking or metrics.
Patch policy exists; monthly cycle established.
Automated deployment; exception register maintained.
Patch data feeds into CMDB/SIEM; metrics monitored.
Risk-based prioritization and continuous assessment.
- How to Level Up
| From → To | Actions |
|---|---|
| 0 → 2 | Define policy and publish SLA (critical ≤ 7 days). |
| 2 → 3 | Automate patching via Ansible / WSUS / Yum cron. |
| 3 → 4 | Feed status to CMDB or SIEM; alert on non-compliance. |
| 4 → 5 | Adopt vulnerability prioritization (CVSS + exploitability). |
-
People / Process / Technology Enablers
People – Infrastructure and Security Operations.
Process – Patch review, rollback plan, exception management.
Technology – Ansible, WSUS, OpenVAS. -
Evidence Required
Patch policy, automation logs, exception register. -
Metrics / KPIs
• percentage of systems patched within SLA
• average days to patch critical vulnerabilities
• number of pending exceptions past due date -
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Scanning | OpenVAS / Greenbone | Detect missing patches and CVEs. |
| Automation | Ansible / Yum cron | Schedule and apply updates. |
| Metrics | Wazuh / Grafana | Dashboard patch age and compliance. |
-
Common Pitfalls
Patches applied without reboot; no rollback testing. -
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO 27001 | A.8.8 (Vulnerability management). |
| NIST CSF 2.0 | PR.IP-12 / DE.CM-8. |
| CERT-In 2022 | Timely patching requirement. |
| NIRMATA Scoring | IS-Q02 ≥ Level 4 requires metrics-driven patch tracking. |