Standard:
YALE-MSS-6.1: Apply security patches regularly
YALE-MSS-6.1.1: Apply all security patches to operating systems, software, and firmware based on risk
Low Risk Endpoint
Required
Moderate Risk Endpoint
Required
High Risk Endpoint
Required
Low Risk Server
Required
Moderate Risk Server
Required
High Risk Server
Required
Low Risk Mobile Device
Required
Moderate Risk Mobile Device
Required
High Risk Mobile Device
Required
Low Risk Network Printer
Required
Moderate Risk Network Printer
Required
High Risk Network Printer
Required
Details
Apply all security patches to operating systems, software, and firmware based on risk. For endpoint and mobile devices, configure automatic patching. Yale Managed Workstations are configured for automatic patching.
Critical, high, and medium severity vulnerabilities must be patched within 30 days.
Some vulnerabilities need an emergency response of fewer than 30 days. These four questions will help you decide if an emergency response is required. If you answer "yes" to at least three of the questions, invoke your emergency patch process (see YALE-MSS-6.1.5).
- Is the system a High Risk system?
- Is the CVSS v2 or v3 score of 7.0 or higher?
- Is the vulnerability in an Internet Accessible system?
- Is there an active exploit?
Guidance on the four questions to decide if you need emergency patching:
- Is the system a High Risk system? See the Risk Classification Guideline.
- Is the CVSS v2 or v3 score of 7.0 higher? The Common Vulnerability Scoring System (CVSS) is a free and open industry standard. It assesses the severity of computer system security vulnerabilities. You can usually find the CVSS score in the National Vulnerability Database or from your software vendor.
- Is the vulnerability in an Internet Accessible system? We define Internet Accessible (IA) in our MSS Key.
- Is there an active exploit? This answer can change. The longer the vulnerability is known, the more likely there is an active exploit. If you answered "no" to this question, but "yes" to two or more of questions 1, 2, and 3, you must monitor the status of exploits weekly. If an active exploit becomes known, you must implement your emergency patch process (see YALE-MSS-6.1.5).