S 2.273 Prompt installation of security-relevant patches and updates

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Administrator

It is often the case that errors in products are detected which may result in the information security of the information system in which they are operated being impaired. Corresponding errors can relate to hardware, firmware, operating systems and applications. These vulnerabilities must be eliminated as quickly as possible so that they cannot be exploited by internal or external attackers. This is particularly important if the affected systems are connected to the internet. The manufactures of operating system or software components generally publish patches or updates which must be installed on the relevant IT system in order to eliminate the error(s).

Therefore, the system administrators should regularly inform themselves about detected vulnerabilities (see also S 2.35 Obtaining information on security weaknesses of the system).

It is important that patches and updates, like any other software, must only be downloaded from trusted sources. It must be known for every system of software product used where security updates and patches are available. It is also important that the integrity and authenticity of the products already installed or the security updates and patches to be installed is checked (see S 4.177 Assuring the integrity and authenticity of software packages) before installing an update or patch. They should also be checked using a computer anti-virus program before installation. This should also be done for such packets of which the integrity and authenticity was verified.

However, security updates or patches must not be installed hastily, but must be tested before they are installed. If a conflict with other critical components or programs is revealed the respective update may result in a system failure. If necessary, an affected system must be protected by other safeguards until the tests are completed.

A data backup of the system should always be prepared, before installing an update so that the original state can be restored in case of problems. This is especially important when comprehensive testing is not possible due to lack of time or a suitable test system.

In any case, it must be documented which patches and updates were installed when and by whom and for what reason (see also S 2.34 Documentation on changes made to an existing IT system). It must always be possible to quickly determine the current patch level of the system using the documentation in order to be able to quickly clarify if the system is at risk in case of discovery of vulnerabilities.

If it is detected that a security update or a patch is incompatible with another important component or a program or causes problems how to proceed further must be carefully considered. If the decision is made not to install a patch due to the problems encountered, then this decision must be documented. In addition, it must be clearly described in this case which safeguards were taken as an alternative in order to prevent exploitation of the vulnerability. Such a decision must not be made by the administrators alone, but must be coordinated with the superiors and the IT Security Officer.

Review questions:

• Have rules been specified for patch management?
• Are software updates and patches downloaded exclusively from trusted sources?
• Are software updates and patches tested before the roll out?
• Has it been ensured that the original system state can be restored in case of a failed update?
• Is the decision not to install a patch due to the problems encountered documented?