IT Change Management — IT Certificate

            Critical Security and Functionality Patches

            Many cybersecurity incidents occur due to vulnerabilities that could have been prevented or
            remediated by existing patches that had not yet been applied. For example, in the 2017 Equifax data
            breach, a failure to patch a critical system, along with an expired encryption key, led to the
            compromise of the personally identifiable information (PII) of 148 million consumers. A report from
            the U.S House of Representatives Committee on Oversight and Government Reform stated: “Equifax
            failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to
            address its observable security issues prior to this cyberattack, the data breach could have been
            prevented.”

            The volume of urgent patches to be applied to the operational infrastructure, and the deficiency of
            enough key personnel to assess and implement these patches can be critical. To ensure the security
            of existing systems, patches should be applied regularly in all critical applications and devices.
            Timeframes for the application of patches are often based on the criticality of the system (risk),
            which should be determined by each organization.

            Many IT professionals, especially those in North America, are familiar with “Patch Tuesday,” the
            unofficial term referring to the pattern Microsoft has established of issuing patches. Typically, on the
            second and sometimes the fourth Tuesday of each month, Microsoft releases patches for its software
            products. There may be in excess of one hundred patches in any given update. Microsoft’s releases
            are not limited to these days, but it has been a relatively standard practice since 2003.

            Vulnerabilities

            The NVD assigns a criticality score — from 0 to 10 — to each patch. Patches rated 6 to 10 are critical,
            meaning they fix problems that are more likely to expose data and information assets and/or are
            more likely to allow a hacker or other potential threat to take over an impacted device/system.
            Management should understand how critical vulnerabilities are discovered and what process is
            followed to assess, test, and address weaknesses.

            Zero-day refers to a vulnerability or weakness in a system that has been discovered but the vendor
            has not yet provided a formal remediation. Organizations should have a plan to address zero-day
            vulnerabilities because they may not be able to wait for a patch or other instructions for mitigation.
            Instead, the organization may need to immediately conduct a high-level threat analysis and
            implement a compensating control.

            For organizations relying on third-party vendors for cloud application services, management should
            understand the vendor’s patch policy and how their vendors manage patches. This information is
            typically found in service organization control (SOC) reports.

            Effective Patch Management

            The availability of a patch to address a critical security vulnerability can be disruptive and may result
            in significant resources being redirected from planned work to address the unplanned patch.

            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.