Patch Management Policy
Policy Owner: Manager, IT Performance Achievement
Note: An owner must be a PCES-level manager.
The enterprise Patch Management Policy establishes a unified patching approach across systems that are supported by the Postal Service Information Technology (IT) organization.
This policy applies to:
- The IT Computing environment.
- All Postal Service employees and contracted personnel involved in patching activities in the IT Computing environment.
Patches are implemented based on criticality ranking of the vulnerability that is being patched as described in the Risk Ranking Policy.
For all IT Computing systems, the following activities must take place:
- Vendor-released patches are assessed and assessment is
- Patches are tested; testing is documented and approved prior to
implementation in Production.
- Patches are implemented on either a standard or compressed schedule as
described in the Patch
Management Process and individual Patch
- Implementation is validated to ensure that all approved patches have been implemented.
Access Supporting Documentation from ITWEB (Internal):
Access Supporting Documentation from USPS.com (External):For access to the following documents, contact the US Postal Service. See Publication 5, Let's Do Business for further information about local US Postal Service contacts.
- Risk Ranking Policy
- Patch Management Procedures (multiple)
|1.1||11.07.2014||Updated definitions for consistency across all Patching documents.|
|1.1.1||07.15.2015||Annual Review: The annual review for functional accuracy and current PCI DSS requirements has been completed. CR 89584|
|1.1.2||02.05.2016||Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 145819
Non-substantive change: Risk Ranking Policy replaced Risk Ranking Standards; updated references and hyperlinks.
|1.1.3||08.17.2016||Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 202501|