YALE-MSS-6.1.1: Implement an emergency patch process

Standard:
YALE-MSS-6.1: Apply security patches regularly

YALE-MSS-6.1.1: Implement an emergency patch process

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

Details

An emergency patch is one applied outside of a regular maintenance window.

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard. It assesses the severity of computer system security vulnerabilities. The CVSS score is normally found in the National Vulnerability Database or from the relevant vendor.

Critical severity vulnerabilities (with a CVSS score of 9 or more) must be patched immediately, upon patch availability.

For non-critical vulnerabilities, the four conditions below will help determine if an emergency response is required. If at least three of the four conditions are met, an emergency patch process must be invoked.

  1. The system is classified as high-risk.
  2. The vulnerability has a CVSS v2 or v3 score that is 7.0 or higher.
  3. The system is accessible from the internet.
  4. There is an active exploit for the vulnerability in question.

The likelihood of an active exploit increases as the vulnerability ages. Monitor weekly for active exploits.