Firewalls, antivirus software, and other security fortifications are the most visible and apparent components of effective cybersecurity architecture implementation. However, your protocols for system monitoring and maintenance are equally critical to your defenses. You need to scan for gaps or cracks in your safeguards and patch them as needed. Both routine and unique event patch management are not just best practices but necessities.
That said, how often should you perform them?
How Often Should You Perform Patch Management?
This guide will focus on answering one specific question: How often should you perform patch management? We’re also concerned with questions about what patch management should comprise. We’ll answer these questions generally for several business types, including:
- All businesses that process payments via credit and debit card transactions
- Companies directly within the healthcare industry or contracted adjacently
- Government agencies and companies seeking governmental contracts
- Bulk Electrical System (BES) and other critical power grid businesses
- Brokers, brokerage firms, and certain other financial institutions
But first, let’s address some more basic definition questions — namely, what is a patch management process? And why is it so critical to your business’s security and success?
Why is Patch Management So Important?
There are few ways organizations can learn of flaws in their cybersecurity architecture, most of which are harmful. One of the worst is when an attack happens. If your systems are designed to prevent an event, but it still occurs, something must have gone wrong. The chances are that the required protections were not installed, installed improperly, or updates are missing.
Other harmful ways to learn about flaws in your system occur during audits. These can cause significant stresses when passing a particular audit is required for proper licensure or winning a lucrative contract. Gaps and patches identified in this way can cause short- and long-term costs.
Internal assessments are often a less harmful way to identify gaps, but complete tests can be costly and time-consuming. Patch reporting and management is a cost-effective way to ensure fidelity.
Patch Management Frequency by Industry
Because patch management is so essential for all businesses, you should aim to conduct at least some form of patch reporting as frequently as possible. A daily patch report regimen can include simple scans of your inventory, including virtual and physical assets, to ensure the most recent updates have been installed and there are no apparent flaws in your established safeguards.
Then, more detailed assessments at longer intervals (weekly or monthly) can dive deeply into the intricacies of your infrastructure. One of the most critical considerations for patch management is optimization to the regulatory compliance frameworks your company follows, depending on your industry and the nature of your business. Let’s look at schedules, regulations, and patch management processes for some common regulatory frameworks.
Patch Management for PCI DSS Compliance
Companies that process credit card payments, debit card payments, and other forms of card-based transactions need to comply with the Data Security Standards (DSS), developed by the Security Standards Council (SSC) of the Payment Card Industry (PCI). PCI DSS Requirement 6.2 pertains to secure systems’ development and maintenance, including patch monitoring:
- Policies and procedures must be updated within one to three months of patch release.
- System components and related software must be updated within the same timeframe.
These and other PCI DSS requirements are designed to keep cardholder data safe, which in turn protects your company from direct theft, fraud, and reputational costs associated with data breaches. PCI DSS patch monitoring and PCI DSS compliance advisory programs should seek out updates at regular intervals to allow enough time for installation before these deadlines.
Patch Availability Reports per HIPAA Standards
Companies working within the healthcare industry and their business associates covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Primary compliance requirements include the Privacy, Security, and Breach Notification Rules.
Security Rule requirements include various administrative, physical, and technical safeguards to ensure confidentiality, integrity, and availability of protected health information (PHI). Maintaining these controls requires risk management, including monitoring for and installing patches as soon as they become available — this means frequent patch reports.
A 2018 newsletter on HIPAA patch management from the Office for Civil Rights emphasized just how critical regular patch monitoring and management is for maintaining HIPAA compliance. See our own HIPAA Patch Management datasheet for more information on what’s required.
NIST SP 800-171 Required Patch Management
Companies seeking contracts with the US Department of Defense (DoD) need to follow Defense Federal Acquisition Regulation Supplement (DFARS) requirements. To protect federal contact information (FCI) and controlled unclassified information (CUI), you’ll need to follow:
- National Institute for Standards and Technology (NIST) Special Publication 800-171
- The new Cybersecurity Maturity Model Certification (CMMC) of the OUSD(A&S)
These frameworks entail numerous controls and requirements for regular assessments of gaps and patches, conducted as often as possible. Supplemental controls and suggestions for patch management are detailed in NIST SP 800-40, Revision 3, titled “Guide to Enterprise Patch Management Technologies.” Comprehensive NIST/CMMC/DFARS compliance advisory services facilitate mapping and implementing all required controls, ideally without overlap.
NERC CIP Patch Reporting and Management
Companies that constitute the Bulk Power System (BPS) across North America are governed by the North American Electric Reliability Corporation (NERC). Suppose your company is a supplier or is otherwise involved in the electrical grid supply chain. In that case, you may need to follow the NERC Critical Infrastructure Protection (CIP) standards, of which 12 are currently enforced, with one pending.
In particular, NERC CIP Standard 007-6, “Systems Security Management,” defines thresholds for patch management procedures. At a minimum, it requires detailed patch reporting every 35 days, proven by evidence of a patch report archived by the internal IT team or external IT service providers with an accurate timestamp. You also need to install patches as soon as possible to ensure seamless NERC CIP compliance and security for all stakeholders in the grid.
Patch Management for FINRA Compliance
Finally, companies in the brokerage and financial services sector need to comply with standards set out by the Financial Industry Regulatory Authority (FINRA) — in particular, the Cybersecurity Checklist, which is available for free download. Scheduling prescriptions for patch management are loose, but a 2015 FINRA report on cybersecurity practices details descriptive measures that most companies in the industry take, irrespective of requirements. Takeaways include:
- A vast majority of companies surveyed (~95%) relied upon metrics to assess security, and a standard metric for patch management involves thresholds for patch updates.
- Companies using this threshold may require that 95% of computers’ Microsoft and Adobe suites are “up to date” (less than 90 days old).
Professional Patch Management and Security
As a recap, let’s break down the question: how often should you perform patch management? It depends heavily upon several factors. The particular components that make up your security architecture are major determinants. Others include the various overlapping needs of regulatory compliance.
No matter how complex and challenging your patch reporting is, RSI Security is happy to help optimize your practices. To see how streamlined and powerful your patch management processes and overall cybersecurity can be, contact RSI Security today!