YALE-MSS-6.1.1: Apply all security patches to operating systems, software, and firmware based on risk

Apply all security patches to operating systems, software, and firmware based on risk. For endpoint and mobile devices, configure automatic patching. Yale Managed Workstations are configured for automatic patching.

Vulnerabilities must by patched within 30 days of patch availability. Critical severity vulnerabilities (with a CVSS score of 9 or more--see Guidance) must be patched immediately, upon patch availability.

These four questions will help you decide if an emergency response is required. If you answer “yes” to at least three of the questions, invoke your emergency patch process (see YALE-MSS-6.1.3).

• Is the system a High Risk system?
• Is the CVSS v2 or v3 score of 7.0 or higher?
• Is the vulnerability in an Internet Accessible system?
• Is there an active exploit?

Guidance on the four questions to decide if you need emergency patching:

• Is the system a High Risk system? See the Risk Classification Guideline.
• Is the CVSS v2 or v3 score of 7.0 higher? The Common Vulnerability Scoring System (CVSS) is a free and open industry standard. It assesses the severity of computer system security vulnerabilities. You can usually find the CVSS score in the National Vulnerability Database or from your software vendor.
• Is the vulnerability in an Internet Accessible system? We define Internet Accessible (IA) in our MSS Key.
• Is there an active exploit? This answer can change. The longer the vulnerability is known, the more likely there is an active exploit. If you answered “no” to this question, but “yes” to two or more of questions 1, 2, and 3, you must monitor the status of exploits weekly. If an active exploit becomes known, you must implement your emergency patch process (see YALE-MSS-6.1.3).