YALE-MSS-6.1: Apply security patches regularly

Standards Group:
YALE-MSS-6: Patching

YALE-MSS-6.1: Apply security patches regularly

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

Details

Timely patching is critical to safeguarding the security of IT systems and data. This includes, but is not limited to, patching:

  • Operating systems
  • Supporting software
  • Applications
  • Containers
  • Firmware

To be effective, patches must be applied soon after becoming available. Moreover, some vulnerabilities require emergency patching in a compressed timeframe, based on severity and exposure.

The process for evaluating and applying patches (both in normal and emergency circumstances) should be documented and managed by the system owner.

Apply security patches to your systems within 30 days of patches becoming available.

For endpoint and mobile devices, configure automatic patching. Yale Managed Workstations are configured for automatic patching.

If you use containers like Docker, patching requirements are met as follows.

  • For images that are actively maintained by a vendor or open source project: check the vendor/project images every 30 days and redeploy them when new iterations are available
  • For images built in-house at Yale
    • Deploy new images as soon as they are available for production, according to the project's cadence
    • It is expected that vulnerabilities will be addressed within 30 days of patches becoming available and in a fashion commensurate with their urgency

Controls