Patch Management Process

PURPOSESCOPEPROCESSSUPPORTING DOCUMENTATIONREVISION HISTORY

Process Owner: Manager, IT Performance Achievement

Note: An owner must be a PCES-level manager.

PURPOSE

The enterprise Patch Management Process establishes a unified patching approach across systems that are in the Payment Card Industry (PCI) Cardholder Data Environment (CDE).

SCOPE

This process is used in conjunction with all IT and Security Policies, Processes, and Standards, including those listed in the Supporting Documentation section. It applies to:

Process

Patch Management Process

The patch management process is as follows:

  1. Assess vendor-provided patches and document the assessment. If the assessed patches:

    • Address a critical vulnerability as described in the Risk Ranking Policy: They must be implemented within 30 days of vendor release.

    • Do not address a critical vulnerability: They must be implemented in the next standard patching cycle.

    • Do not apply: Document in the Patch Assessment as an Exclusion.

  2. Obtain approval for the assessment. The process ends here for approved Exclusions.

  3. Schedule patches for testing and implementation.

  4. Test patches.

  5. Implement patches in the Production environment.

  6. Validate and test patch implementation.

Implementation Deadline

Risk Ranking.
Implementation Deadline.
Implementation Schedule.
Critical. 30 Days. Compressed.
Non-critical. 90 Days. Standard.

Patch Exception

An applicable patch that cannot be implemented by the implementation deadline is an exception and requires a Security Exception Letter. The table below describes how this form is completed and approved.

When a patch exception may occur.
Who completes the form and obtains approvals.
During the initial assessment. Functional Support.
During testing or implementation. Functional Support or Business Owner.
At any time for business reasons. Business Owner.

Note: Functional Support is defined as the group responsible for identifying and assessing patches and performing Functionality Testing. Business Owner is defined as the Business Relationship Management Program Manager (BRM PM) or an equivalent stakeholder.

SUPPORTING DOCUMENTATION

Access Supporting Documentation from ITWEB (internal):

Access Supporting Documentation from USPS.com (external):

For access to the following documents, contact the US Postal Service. See Publication 5, Let's Do Business for further information about local US Postal Service contacts.

REVISION HISTORY

Version
Date
Description
1.0 06.01.2014 Initial release.
1.1 07.11.2014 Added link to Patch Exception or Deferment Form. Updated "Patch Exception or Deferment" statement to align with Patch Exception or Deferment Form.

1.2

 

11.12.2014 Process:
Updated to align with current practice. Added a Roles section. Moved up the Patch Exception or Deferment Section to immediately follow the Roles section. Added a table to define patch exceptions, deferments, and exclusions. Add a note to define missed patches.
2.0 02.27.2015 Process:
Elevated process to a higher level to align with current practices. Removed “This process is effective as of July 1, 2014.” because the date has passed. This information will be retained in the Revision History for historic purposes.
2.0.1 02.05.2016 Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 145819

Non-substantive change: Risk Ranking Policy replaced Risk Ranking Standards, and Security Exception Letter replaced Patch Exception Form; updated references and hyperlinks.
2.0.2 08.17.2016 Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 202508
Powered By OneLink