POL00362914 - Cyber Security Standard Patch Management Standard V1.3

Evidence on official site

POL00362914
POL00362914

Post Office Limited - Document Classification: CONFIDENTIAL

@

Cyber Security Standard
Patch Management Standard

Version —- V1.3

INTERNAL Page 1 of 11 Patch Management Standard v1.3
POL00362914
POL00362914

Post Office Limited - Document Classification: CONFIDENTIAL

1 Overview

1.1. Introduction by the Standard Owner.

1.2 Purpose ..

1.3. Application.

2 — POlICY FraMeWOFk .......cccecccseceeeeeeeeesaeeeesaueeesseueseseueessueesesueeseseaeressueeseeeeeeeeegeees 4
2.1 Policy Framework......cccceeceesseeeeeeeeeeeneeeeeeeeeeeeeeesenseeeeeeeeeseeaaeseeaaeeeeeaaeseeaaeee 4
2.2 WhO MUSt COMPLY? ........seesesseeeeeeeeeseeeeeeeeeeesssnseeeeeeeeeeeeeeeeeeeesseeaeeeeeeeseeeeeeees 4

B SCOPE cess eeessseesseeeeeeseeeeeeeeeeeseeesssaeeesueesseeeeeeseeesseeseeauuseeseeeeeeeeeeseeeuaaaanneeseeeeeeees 5

4 Device MAnagGeMENt .........ccccccccceceec cece eee e eee eee eee e eee e eee eee eee eee HAHA NEEL E EE Eee EEE Sees eeeeaaaeS 6
4.1 Patch Classification 2.0... cece cece e treater eect eee e eter ee tnneeeeeeeeeeeeeeeeaee 6

4.2 Incomplete Data
4.3. Patch Scheduling
4.4 Vulnerability Severity Ratings .

4.5 Emergency Patching.

5 Where to go for help....

5.1 Additional Policies and Standards ......ssccccsecssseessseeessteeesseeesneeeeseeeetneeeennee 10
5.2 HOW to raiS€ a CONMCEMN «2... eect eet eee e ett tee eter ete tnneeeee ee ennieneeeeeeee 10
5.3. Who to contact for more information ..............ceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee 10
6 Version Control & APProval.......ccccceseceeseeeeeeeeeeeeseeeeeeueeeeeaneseeaaeeeeeaaeeeeneeeennesenee 11
G.1 Version COntrol......cccccccccceeeeeeeeeeeeeeeee cece cece esse a eeeee eee e cece eeeeeeeeeeeseaaeee eee eeneee 11
6.2 — Standard Approval ..........:ssssseseeeseeeseeeeeeeeeeesseseseeeeeeeeeeseeeeeeeseseeeneeseeeseeeees 11

INTERNAL Page 2 of 11 Patch Management Standard v1.3
POL00362914
POL00362914

Post Office Limited - Document Classification: CONFIDENTIAL

1 Overview

1.1 Introduction by the Standard Owner

Post Office is committed to protecting its employees, customers, Third Party Supply Chain
and information assets from damaging or illegal actions by individuals, either knowingly
or unknowingly. Post Office enables this through the development and deployment of
policies, standards and guidelines which are aligned to international best practices.
Effective cyber and information security is a team effort involving everyone in Post Office.

1.2 Purpose

The purpose of the Patch Management Standard is to provide a structured and consistent
approach to patch management throughout the Post Office Group and to ensure that to
ensure that the opportunity to exploit Post Office systems and applications is minimised
by ensuring they are appropriately patched against security vulnerabilities.

1.3 Application

This policy applies to Post Office permanent employees, temporary employees,
agency contractors, consultants and anyone else working on behalf of the Post Office
accessing Post Office data and aligns to the requirements of the Cyber and Information
Security Policy.

INTERNAL Page 3 of 11 Patch Management Standard v1.3
POL00362914
POL00362914

Post Office Limited - Document Classification: CONFIDENTIAL

2 Policy Framework

2.1 Policy Framework

This standard forms part of the Cyber and Information Security Policy Set. This contains
controls that form part of the Information Technology Control Framework (ITCF) governed
by the overarching Post Office wide framework.

2.2 Who must comply?

Compliance with this standard is mandatory for all Post Office employees and applies
wherever in the world Post Offices business is undertaken. All third parties who do business
with Post Office, including consultants, suppliers and business and franchise partners, will
be required to agree contractually to this standard or have their own equivalent
policy/standard.

INTERNAL Page 4 of 11 Patch Management Standard v1.3
POL00362914
POL00362914

Post Office Limited - Document Classification: CONFIDENTIAL

3 Scope

The following software and hardware types are in scope for patch management

In Scope

Desktops and Servers (OS only)

Business Applications (windows software)

Business Applications (non-windows software)

Firmware

Cloud based Applications and Operating Systems

End Point Security system

Mobile devices (including tablets and smartphones)

Virtual systems

Network storage systems (including Storage Area Network (SAN) and Network-
Attached Storage (NAS))

Network equipment (including routers, switches, wireless access points and
firewalls, IPS, IDS, FIM, WAF, Proxy System etc.)

VoIP telephony software and conferencing equipment

Networked office equipment (including network printers, photocopiers, facsimile
machines, scanners and multifunction devices (MFDs))

Specialist systems (e.g., cyber-physical systems such as Internet of Things or
systems that support industrial control systems (including SCADA systems,
Distributed Control Systems (DCS) and Programmable Logic Controllers (PLC)).

If a need for patch management is identified but is not included in the above table, it is
the responsibility of the system owner to make sure that they are keeping their
departmental systems in compliance with this Standard. Failure to do so constitutes a
violation of policy.

INTERNAL Page 5 of 11 Patch Management Standard v1.3
POL00362914
POL00362914

Post Office Limited - Document Classification: CONFIDENTIAL

4 Device Management

All patches must be assessed in the context of Post Office’s environment, prioritised and
remediated according to business impact and criticality of the vulnerability.

The priority of patching activities will be based upon an analysis of the risk and take
account of where exposure is greatest, such as with Internet and external facing systems
and applications.

Only patches applicable to Post Office’s environment shall be applied through a formal
review and change management process.

Emergency security patches must be managed through the incident process and subject
to the same review and authorisation process as routine patches.

All patches must be tested in a non-production environment before implementation in the
production environment.

Systems must not directly access external networks such as the Internet for patching
updates; there shall be a central internal patching system, which is used by internal hosts
for patches.

There shall be a list of applications and applicable patches and a record of those applied
or not applied and the assessment upon which that decision has been made shall be
maintained.

Where patches are not available, e.g. for legacy systems then compensating controls must
be implemented through risk assessment performed and any residual risks managed.

4.1 Patch Classification

Vendor supplied security advisories and vulnerability patches are normally classified into
different severity classifications to help identify the importance of applying the patch. The
Industry Standard for classification of computer system security vulnerabilities is the
“Common Vulnerability Scoring System” or ‘CVSS’. Most Vendors will quote the CVSS
value of each patch as it is released, to enable the security threat associated with the
patch to be recognised.

Other methods for evaluating and scoring vulnerabilities are used by some vendors. These
will also provide a ‘Critical/High / Medium / Low’ categorisation.

4.2 Incomplete Data

With some vulnerabilities, all of the information needed to create CVSS scores may not be
available. This typically happens when a vendor announces a vulnerability but declines to
provide certain details. In such situations, NVD analysts assign CVSS scores using a worst-
case approach. Thus, if a vendor provides no details about a vulnerability, NVD will score
that vulnerability as a 10.0 (the highest rating).

INTERNAL Page 6 of 11 Patch Management Standard v1.3
POL00362914
POL00362914

Post Office Limited - Document Classification: CONFIDENTIAL

4.3. Patch Scheduling

Where a new applicable patch is released, the persons or team responsible for the support
of the IT infrastructure will download and review the new patch to assess, according to
the following:

e Emergency — Patch will resolve an imminent threat

e = Critical - Patch will resolve a security vulnerability
e Non critical - A standard patch release update

e Not applicable - Not relevant

Irrespective of platform or severity classification, all patches will follow a defined process
for patch deployment which includes:

Assessing the risk
Testing
Scheduling
Installing
Verifying

The persons or team responsible for the support of the IT infrastructure will assess the
patch and examine the impact of deployment. The assessment process will establish
whether the patch will cause any adverse effects. Typically, patches are to be assessed on
test systems, e.g. UAT environments, before being deployed on to live environments.

4.4 Vulnerability Severity Ratings

The National Institute of Standards and Technology (NIST) maintain a National
Vulnerability Database (NVD) that is a useful resource for communicating the impacts of
security vulnerabilities. Many vendors now subscribe to this methodology. The NVD
provides severity rankings of "Low," "Medium,", "High" and Critical in addition to the
numeric CVSS scores but these qualitative rankings are simply mapped from the numeric
CVSS scores:

INTERNAL Page 7 of 11 Patch Management Standard v1.3
Post Office Limited - Document Classification: CONFIDENTIAL

The following table defines the criticality rating and the required remediation time:

POL00362914
POL00362914

live

cvss Risk I JIRA Pen Risk Risk Risk POL Threat Score. POL Fix timescales if I Fix timescales if
: I Priority I Score I Impact I Likelihood I (RiskimpactXRisk I Threat I discovered within I discoveredin Live I
a te Likelihood) Rating project — environment
01 Low Lowest 10 i ce 1 vervtow I Withla oe ie 60 Days
1 2toS
0.23.9 Low Low 2.0-5.0 2t05 1 225 Low Within G0 Daye of eo: 60 Days

When no fix available a workaround must be agreed with IT Security until a permanent fix is available and implemented.

Medium

INTERNAL

Medium

Page 8 of 11

Medium

i
release) or will block
~ gorlive,

Patch Management Standard v1.3

Approved Exception Request
required if resolution is
outside of timescales and
product wished to go-live

Post Office Limited - Document Classification: CONFIDENTIAL

4.5 Emergency Patching

POL00362914
POL00362914

Where patches are deemed as Emergency patches which represent a resolution to an
imminent threat to the Post Office’s environment, there may be a greater risk of not
implementing the patch until after full testing. In such instances, the Post Office’s manager
responsible for IT security must be notified. An informed decision must be made based on
the risk identified and a decision to deploy the patch as soon as possible or to schedule it
into the next patching cycle must be made.

Critical or non-critical patches will undergo testing for each affected platform prior to
deployment. The persons or team responsible for the support of the IT infrastructure will
complete a validation against all images, e.g. Windows, UNIX, etc.

Operating System

Version updates to
the Operating
Systems

All operating systems and
firmware have to be supported
by a supplier that produces
regular fixes for any security
problems

Security Updates to fix All high-risk or critical security
security weaknesses _ I updates for applications
(including any associated files
and any plugins) installed within
7 days of release
Applications Version updates All applications on Post Office

devices must supported by a
supplier that produces regular
fixes for any security problems.

HNGA - App JAVA fat client

Non-windows version
updates

All applications on your devices
supported by a supplier that
produces regular fixes for any
security problems.

HNGA - App JAVA fat client
- Security updates

Non-windows
software updates to

All high-risk or critical security
updates for applications

fix security (including any associated files
weaknesses and any plugins) installed within
7 days of release
INTERNAL Page 9 of 11 Patch Management Standard v1.3
POL00362914
POL00362914

Post Office Limited - Document Classification: CONFIDENTIAL

5 Where to go for help

5.1 Additional Policies and Standards

This standard is part of the Cyber Security Policy framework. The full set can be found at:

https://poluk.sharepoint.com/sites/cybersecurity2/SitePages/Cyber-and-Information-
Security-Policy-Set.aspx

5.2 How to raise a concern

Any Post Office employee who suspects something is wrong has a duty to:

e Discuss the matter fully with their Line Manager; or,
e Report their suspicions by contacting the IT Helpdesk

5.3 Who to contact for more information

If you need further information about this standard or wish to ré

in relation
to this standard, please contact Cyber Security Team via cyber!

INTERNAL Page 10 of 11 Patch Management Standard v1.3
POL00362914

POL00362914

Post Office Limited - Document Classification: CONFIDENTIAL

6 Version Control & Approval

6.1 Version Control

Date Version Updated by Change Details

16/04/2018 0.1 IT Security First version for comment

11/05/2018 0.2 IT Security Updated with QSA comments.

23/05/2018 0.3 IT Security Updated post peer review

28/05/2018 1.0 IT Security Final Approved Version

23/11/2021 1.1 Cyber Security Updated the standard (Section 3, 4.1,

4.4 and 4.5) according to the POL
Vulnerability Management Standard.

10/04/2023 1.2 Cyber Compliance Annual update and review. Wider
business input for UCF update
required.

25/04/2023 1.3 Cyber Compliance CSF approval for publication.

6.2 Standard Approval

Standard Owner: Chief Information Security Officer
Standard Author: Ehtsham Ali
Approved by CSF: 25/04/2023
Next review: 25/04/2024

INTERNAL Page 11 of 11 Patch Management Standard v1.3