1. Purpose
Establish requirements and procedures for the timely application of security patches and updates to [ORGANIZATION]'s enterprise assets and software to reduce vulnerability exposure.
2. Scope
This policy applies to all enterprise assets including operating systems, applications, firmware, network devices, and middleware within [ORGANIZATION]'s environment.
3. Policy
3.1 Patch Deployment SLAs
Security patches shall be deployed according to the following SLAs:
| Patch Severity | Testing Window | Deployment SLA | Coverage Target |
|---|---|---|---|
| Emergency/Zero-Day (actively exploited) | [CUSTOMIZE: 24-48 hours] | [CUSTOMIZE: 48-72 hours] | 100% of affected critical assets |
| Critical (CVSS >= 9.0) | [CUSTOMIZE: 3-5 days] | [CUSTOMIZE: 7-14 days] | 100% of affected assets |
| High (CVSS 7.0-8.9) | [CUSTOMIZE: 5-7 days] | [CUSTOMIZE: 30 days] | 95% of affected assets |
| Medium/Low | [CUSTOMIZE: Standard testing] | [CUSTOMIZE: 60-90 days or next maintenance window] | 90% of affected assets |
3.2 Patch Process
All patches shall be tested in a non-production environment before deployment to production, except for emergency patches where the risk of not patching exceeds the risk of testing delay.
Patch deployment shall be scheduled during approved maintenance windows where possible to minimize business disruption.
Rollback procedures shall be documented and tested for all critical system patches before deployment.
Patch deployment status shall be tracked and reported to [CUSTOMIZE: CISO/IT Management] at least [CUSTOMIZE: monthly/weekly].
3.3 Patch Compliance
Patch compliance levels shall be measured and reported monthly, with a target of [CUSTOMIZE: 95%/98%] compliance within defined SLAs.
Systems that cannot be patched shall have documented exceptions with compensating controls approved by [CUSTOMIZE: CISO/IT Director].
Unpatched systems exceeding SLA without an approved exception may be quarantined or disconnected from the network at the discretion of [CUSTOMIZE: CISO/IT Security].
4. Compliance
Compliance with this policy is mandatory for all personnel within its scope. Compliance will be monitored through periodic audits, automated controls, and management review.
Exceptions to this policy must be documented with a business justification, approved by [CUSTOMIZE: CISO/Security Team], and reviewed at least annually.
5. Enforcement
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and may result in civil or criminal penalties where applicable law has been violated.
[ORGANIZATION] reserves the right to audit compliance with this policy at any time, with or without notice.
6. Review and Revision
This policy shall be reviewed at least annually by [CUSTOMIZE: CISO/Policy Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, or organizational structure.
All revisions shall be documented with version number, date, author, and description of changes.
Policy Approval
Approved By
Title
Date
Document Control