Page 280 - ITGC_Audit Guides
P. 280
The National Vulnerability Database assigns a criticality score to each patch from zero to 10.
Patches rated 6 to 10 are critical, meaning they are more likely to expose data and information
assets and/or are more likely to allow a bad actor to take over an impacted device/system.
Management should understand how critical vulnerabilities are discovered and what process is
followed to assess, test, and address weaknesses.
Zero-day refers to a vulnerability or weakness in a system has been discovered but the vendor
has not yet provided a formal remediation. Organizations should have a plan to address Zero-day
vulnerabilities because they may not be able to wait for a patch or other instructions for mitigation.
Instead, the organization may need to immediately conduct a high-level threat analysis and
implement a compensating control.
For organizations relying on third-party vendors for cloud application services, management
should understand the vendor’s patch policy and how vendors manage patches. This information
is typically found in service organization control (SOC) reports.
Effective Patch Management
The availability of a patch to address a critical security vulnerability can be disruptive and may
result in significant resources being redirected from planned work to address the unplanned
patch, exposing the organization to security incidents. Worse, even successful deployment of a
patch can cause unintended problems, such as servers becoming nonfunctional and unavailable
to deliver critical services.
Organizations with effective patching functions will likely treat a new patch as a predictable and
planned change subject to the normal change management process. A new patch is added to the
queue to be evaluated, tested, and integrated into an already-scheduled release deployment.
Following a well-defined process for integrating patches leads to a much higher change success
rate.
17 — theiia.org
