Patch Management
Patch Deadlines by Severity
| Severity | CVSS | Deadline | Escalation upon Overdue |
|---|---|---|---|
| Critical | >= 9.0 | 48 hours | Immediately to CISO + Executive Management |
| High | 7.0-8.9 | 7 days | After 5 days to CISO |
| Medium | 4.0-6.9 | 30 days | Monthly report |
| Low | < 4.0 | Next release cycle | Quarterly report |
Patch Process
Standard Process (Medium / Low)
- Vulnerability identified through scanning or CVE monitoring
- Assessment and prioritization
- Test patch in staging environment
- Deploy to production within the deadline
- Verification: scan confirms remediation
Emergency Process (Critical / High)
- Immediate assessment by IT Ops + CISO
- Implement workaround if patch is not immediately available (e.g., WAF rule, network isolation)
- Test patch (shortened test phase, parallel if necessary)
- Emergency deployment (outside regular maintenance windows permitted)
- Verification and documentation
EMERGENCY PATCHING
Critical vulnerabilities (CVSS >= 9.0) must be addressed within 48 hours. If a patch is not available, compensating controls must be implemented immediately and documented. The CISO must approve all emergency patches.
Exception Handling
When a patch cannot be applied within the deadline:
| Step | Description |
|---|---|
| Justification | Documented rationale (technical incompatibility, patch unavailability) |
| Compensating measure | Workaround, network isolation, enhanced monitoring |
| Approval | CISO approval required; executive management approval for critical systems |
| Time limit | Maximum exception duration defined, with review date |
Patch Tracking Metrics
| Metric | Measurement | Target |
|---|---|---|
| Patch compliance rate | Percentage of vulnerabilities patched within deadline | >= 95% |
| Mean Time to Patch (MTTP) | Average time from CVE publication to patch deployment | Critical: < 48h, High: < 7d |
| Open critical vulnerabilities | Number of unpatched CVSS >= 9.0 vulnerabilities | 0 |
| Exceptions | Number of active patch exceptions | Minimize |