S 2.424 Security policy for the use of patch and change management tools

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: IT Security Officer, Change Manager

As a central for implementing the patch and change management process and for software distribution, a patch and change management tool plays an essential role regarding the secure and proper operations of an organisation.

Patch and change management must be performed with appropriate organisational and technical efforts. Here, the protection requirements of the business processes and therefore the protection requirements of the data and systems must be taken into consideration. For this, a specific security policy should be drawn up for patch and change management. This policy must be coordinated with the organisation's security concept and the security policies derived from it.

Aspects this security policy must contain specifications for include the following:

Requirements for planning:

• Regarding the scalability of the tool's server application, requirements for the use of replication, load distribution, and the option of using technical redundancies must be formulated already in advance.
• Suitable regulations for a secure network connection to external sources of patches or changes, e.g. with manufacturers, must be specified. For example, the direct connection between the clients and the manufacturers of the software used may be diverted to a proxy with the help of the corresponding rules on the security gateway.
• Suitable concepts and components must be specified in order to be able to reliably check the integrity and authenticity of patches and changes.
• Requirements for the provision of the documentation regarding the operation, emergency, and restart of the patch and change management tool must be formulated. The requirements also include the fact that the documentation must always be up to date, amongst other things. Furthermore, it must be defined where the documentation must be stored and how many copies of the documentation must be present.

Requirements for administration

• It is necessary to draw up an authorisation concept for employees in patch and change management and also for the services used by the patch and change management software.
• For the administrators, it must be defined how rights are assigned, which rights they are granted, or which rights they are allowed to distribute.

Requirements for installation

The tools for patch and change management must be configured securely. The respective specific settings strongly depend on the present applications and IT systems of the organisation. General information on this subject can be found in S 4.237 Secure basic configuration of IT systems.

• It must be defined how the IT resources relevant for the patch and change management tool such as the components of the software for distributing the patches and changes and the operating systems are configured, taking into consideration security aspects.
• The patch and change management tool should be separated appropriately in the LAN. New changes and patches should not be tested in the productive network, but in a separate test network.

Requirements for secure operation

• Requirements and procedures must be specified for operating a patch and change management tool, for example who may access the tool and where changes may be performed.
• Patches and changes are often obtained from the internet. Connections to public or less trustworthy networks must be secured using security gateways as a matter of principle.
• The patch and change management tool itself must be integrated into the patch and change management process. In this context, it must be defined how hardware and software changes for the patch and change management tool itself are to be handled.

Requirements for logging and monitoring

The method of monitoring, logging, and evaluating the data provided by the patch and change management tool must be specified.

Data backups

An appropriate procedure for backing up the data must be specified. At least the following components should be backed up at regular intervals within the framework of data backup:

• the configuration and/or settings of the tools required for patch and change management
• the databases, including the current configurations of the IT systems
• the exact compiler settings for self-compiled software
• the installed patches and changes
• the most recent restore points of the IT systems
• any existing older versions, for example because the latest version of a software has not yet been tested sufficiently or cannot be run on all systems
• an overview of the reference checksums of the software packets; this overview should possibly be backed up on a Write Once Read Many -medium (WORM).

Furthermore, the procedure for the patch and change management tool must be integrated into the comprehensive data backup policy of the organisation (see also S 6.32 Regular data backup).

Malfunction and contingency planning

The business continuity plans for each application and IT system administered by the patch and change management system must be taken into account in contingency planning.

Depending on the availability requirements for the patch and change management tool, it should be considered whether a separate business continuity plan is drawn up for undesired effects and following the installation of patches and changes for the patch and change management tool.

Review questions:

• Is there a security policy for the patch and change management tool?
• Does the security policy take into consideration all relevant aspects for the use of a patch and change management tool?