Security Patching in Complex Environments

Security Patching in Complex
Environments
A Practical Guide to Policy and Process Design for Patching Applications
and Operating Systems in the Context of Australian Signals Directorate
Top 4 Guidance
Rishi Nicolai
Senior Service Management Consultant, Microsoft Australia
Jimmy Fitzsimmons
Senior Premier Field Engineer, Microsoft Australia
Contributors and Reviewers
Brian Farnhill
Chris Tuite
Clinton Temple
David Cottingham
David Jansen
Glen Wareing
Grant Holliday
James Kavanagh
Jason Waddell
Joseph Marino
Joy Hines
Marc Dudok
Martin Morrison
Neil Ladbrook
Nick Eichner
Regina Jagiello
Ronel Vosloo
Russell Stevens
Scott Deacon
Yen Chiu Chin
Ziggy Nemeth
Senior Premier Field Engineer, Microsoft
Support Practice Manager, Microsoft
Principal Service Delivery Manager, Microsoft
Security Consultant, Foresight Consulting
Senior Premier Field Engineer, Microsoft
Senior Enterprise Architect, Microsoft
Senior Service Engineer, Microsoft
National Security Officer, Microsoft
Senior Technical Account Manager, Microsoft
Service Management Consultant, Microsoft
Service Management Consultant, Microsoft
Senior Premier Field Engineer, Microsoft
CSS Manager, Microsoft
Senior Service Delivery Manager, Microsoft
Senior Consultant, Microsoft
Associate Delivery Project Manager, Microsoft
Senior Service Management Consultant, Microsoft
Senior Premier Mission Critical Engineer, Microsoft
Security Architect, WW Public Sector, Microsoft
Premier Field Engineer, Microsoft
Senior Consultant, Microsoft
Disclaimer:
This document has been prepared by Microsoft to provide an overarching framework to assist the
implementation of security patch management capability within complex environments.
This document is provided on an “as is” basis and to the maximum extent permitted by law Microsoft disclaims
all conditions, warranties and guarantees, express or implied, including but not limited to any warranty or
guarantee that the use of the framework set out in this document will not infringe any rights or any warranty
or guarantee of merchantability or fitness for a particular purpose.
The document is intended to be used as a guide to create a security patching approach for your organisation.
The process flow and document outlines specified in the document should be used as an example only. Before
using components set out in this document, you should evaluate its suitability for your organisation. In
particular, if you choose to act upon the recommendations of the approach, then you do so at your own risk.
Apart from any use permitted under the Copyright Act 1968, and the rights explicitly granted above, all rights
are reserved.
Contents
Executive Summary ................................................................................................................................. 1
Introduction ............................................................................................................................................ 2
Purpose of the Guide .......................................................................................................................... 2
Audience ............................................................................................................................................. 2
Patching and the Australian Information Security Manual ................................................................ 3
Security Vulnerability .......................................................................................................................... 3
Security Patching and the ISM ................................................................................................................ 5
ISM Patching Controls ......................................................................................................................... 5
ISM Compliance and Reporting .......................................................................................................... 7
Enterprise Patch Management Approach .............................................................................................. 9
Step 1: Baseline current capability ................................................................................................... 11
Step 2: Develop a Security Patch Management Policy ..................................................................... 13
Step 3: Develop a Security Patch Management Process .................................................................. 14
Step 4: Develop a Capability Implementation Plan .......................................................................... 17
Step 5: Configure the Technology ..................................................................................................... 18
Step 6: Implement Process and Measure Process Performance ...................................................... 19
Step 7: Conduct Post-Implementation Review ................................................................................. 19
Developing a Security Culture............................................................................................................... 20
Embedding the Security Patch Management Capability .................................................................. 20
Security Patch Management Detailed Step-Guidance .......................................................................... 22
1. Assess ............................................................................................................................................ 22
2. Identify .......................................................................................................................................... 26
3. Evaluate & Plan ............................................................................................................................. 29
4. Deploy ........................................................................................................................................... 33
A.1 Report ......................................................................................................................................... 36
A.2 Process Compliance Assessment ................................................................................................ 37
Common Implementation Challenges .................................................................................................. 38
Supportive IT Security Policies Covering Security Patching .............................................................. 38
Security Patch Management Capability Implementation Plan ......................................................... 38
A Risk-Based Approach to Security Patching .................................................................................... 39
Deployment Timeframes for Patches ............................................................................................... 39
Streamline the Patching Process ...................................................................................................... 41
Minimising Impact Downtime for Business-Critical Applications ..................................................... 42
References ............................................................................................................................................ 43
Glossary ................................................................................................................................................. 45
Appendix I – Assessing System Risk ...................................................................................................... 46
Step 1 - Calculating Maximum Business Impact (MBI) ..................................................................... 47
Step 2 - Calculate Exploit Likelihood (EL) .......................................................................................... 47
Step 3 - Calculate Risk ....................................................................................................................... 48
Step 4 – Consider mitigating factors ................................................................................................. 48
Appendix II – Security Patch Management Process Document Outline ............................................... 49
Appendix III – Capability Implementation Plan Document Outline ...................................................... 50
Appendix IV – Security Patch Management Deferral Notice Document Outline ................................. 51
Appendix V – Security Patch Management Plan Document Outline .................................................... 52
Executive Summary
Patching of security vulnerabilities is the single most important activity any organisation can undertake to
secure their information systems. It is essential to providing a foundation on which other security
controls can be overlaid. This is reflected by Australian Signals Directorate guidance that specifically calls
out patching of operating systems and applications as two of the Top 4 mitigations against cyber
intrusion.
Yet patching of systems within enterprise environments is often perceived as a complex challenge fraught
with cultural, procedural and technical issues. Many organisations find it difficult to effectively prioritise
and plan for deployment of patches within a consistent risk management framework. Others face
significant challenges in consistently complying with policies for the deployment of patches within
specified timeframes.
During 2014, Microsoft worked with some of the largest organisations in Australian government and
enterprises to navigate these challenges and develop a pragmatic, realistic approach to improving patch
management practices in complex environments. By mapping and optimising processes, identifying the
root causes of issues, trialling different strategies and establishing performance metric-driven
approaches, these organisations have made remarkable progress. As an illustration, one large
organisation with more than 10,000 staff, now achieve deployment of priority patches to 90% of
workstations within 48 hours – an improvement in timing of more than 3 months. These improvements
have a very real impact on the security posture of organisations that are increasingly under threat from
online risks.
Here are some essential stages to the strategy:



Baseline definition of the current environment to understand the current state of policy, process
and technology relating to the patching of vulnerabilities
Developing a patching policy and process that reflects the needs and complexities of the
organisation using an optimisation approach to remove delays and streamline decision making
Developing and executing an improvement plan that leverages tools, technologies and process
changes to drive improvement followed by monitoring progress on improving the patching
process, optimising and extending the implementation across all parts of the organisation
The approach outlined in this paper has now been proven and refined in a number of organisations who
are gaining significant benefits in terms of reduced risk exposure and improved compliance. Perhaps of
even more value, by significantly streamlining processes and resources, those organisations have been
able to prioritise their efforts on high value activities and greater innovation.
James Kavanagh
National Security Officer, Australia.
1
Introduction
Purpose of the Guide
•
The purpose of this document is to share an
approach that Microsoft has developed to
address patch management in complex
government environments. The approach,
which can also be considered a high-level
strategy, is described within the context of
the Australian Government information
security requirements, but parts may be
leveraged by any enterprise or government
organisation.
•
Audience
The target audience for this document
includes, but are not limited to:
Effective patch management is a fundamental
element of a sound information security
management strategy. However, it is also
recognised as being complex and fraught with
organisational and technical challenges. This
guide aims to navigate these challenges,
tackling the realities of patch management in
a complex, and technologically heterogeneous
environment. It was developed directly as a
result of experiences with large Australian
government organisations who faced the
complexity of patch management and have
successfully achieved significant
improvements.
• Information Technology Security Advisors
(ITSA) and Agency Security Advisors (ASA)
• Chief Information Security Officer (CISO)
• Information Technology Security Manager
(ITSM)
• Various business and technical service
owners as well as other roles responsible
for performing security patching related
activities within Australian Government
agencies.
The Australian Signals Directorate (ASD) is the
Australian Governments ICT security
authority, and the guidance specified in the
ISM is mandated across the Australian Federal
Government. This document may also be used
as a guide for other government agencies as
well as private enterprises to improve their
security patch management capability and
maturity.
The principal goals of the guide are to:
•
•
Outline the core objectives for effective
patch management, particularly in the
context of the Information Security
Manual (ISM)1.
Describe an approach for both
determining a baseline for current
practice, and also establishing a policy and
At the time of writing this document, the
2014 publication of the Information Security
plan for addressing security patch
management.
Provide guidance on building an
optimised patch management process
that reflects the real complexity of
enterprise environments.
Provide templates, guidance and
resources that can assist with such areas
as risk assessment and exception
handling.
Manual is the most current publication
released by the Australian Signals Directorate.
1
2
© Microsoft Corporation. All rights reserved.
The document assumes some prior
knowledge of the ISM controls relating the
security patch management as well
practitioner level knowledge of the ITIL®
framework. Sections of the document also
require practitioner level knowledge of risk
management with a focus on ISO 31000:2009.
management and process considerations
around patching.
Security Vulnerability
Vulnerability is the intersection of three
distinct elements: a system susceptibility or
flaw, an attacker’s access to the flaw and an
attacker’s capability to exploit the flaw (U.S.
Department of Defense, 2009). To exploit a
vulnerability, an attacker must identify and
use the appropriate tools and techniques to
exploit a systems weakness, which forms its
attack surface.
Patching and the Australian
Information Security Manual
The Australian Signals Directorate (ASD) have
developed a set of policies to safeguard the
Australian Federal Government’s ICT assets
from the threat of cyber-attack. These policies
are published in a public suite of documents
known as the Information Security Manual
(ISM). The ISM details the principals and
policy controls necessary to assist Australian
federal government agencies to secure their
ICT systems. Complementing the ISM is the
ASD Top 35 Strategies to Mitigate Targeted
Cyber Intrusions – a set of controls considered
to be the most effective against a determined
adversary attempting to penetrate and persist
on a government network. The ASD estimate
that implementing just the Top 4 Strategies to
Mitigate Targeted Cyber Intrusions of these
35 controls would mitigate at least 85% of the
intrusion attempts that the Australian Cyber
Security Operations Centre observe
(Australian Signals Directorate, 2013). Patch
applications and patch operating system
vulnerabilities are number 2 and number 3
respectively on the list of mandatory Top 4
controls.
The Microsoft Security Response Centre
(MSRC) uses the term in the following
context:
“A vulnerability is a security exposure that
results from a product weakness that the
product developer did not intend to introduce
and should be fixed once discovered”
(Microsoft, n.d.).
Software vulnerability disclosure can come
from a variety of sources, including publishers
of the affected software, security software
vendors, independent security researches and
even malware creators. (Batchelder, et al.,
2013).
The United States Government publishes
security vulnerability disclosures in the
National Vulnerability Database (NVD). The
diagram below shows how many security
vulnerabilities were recognised by the NVD,
industry-wide, between 2011 and 2013.
The ISM describes several controls that relate
to the deployment of software security
updates. Many technology vendors have
developed security patch deployment tools
and technical guides, however without the
right approach, meeting some of the ISM
compliance requirements can be challenging.
The predominant focus of this guide is on the
3
© Microsoft Corporation. All rights reserved.
on compensating mitigations in lieu of an
available update to the vulnerable software.
In a zero-day scenario, the asset owner does
not have the ability to deploy a security
update, and must apply other potentially
complex mitigating controls. Once a patch is
released for a zero-day vulnerability, the
priority typically becomes deploying the patch
as rapidly as possible to eliminate the
vulnerability.
Figure 1: Industry wide vulnerability disclosure, 1H112H13
Out of all exploited vulnerabilities, zero day
vulnerabilities pose the greatest potential risk
as they are exploited in the wild before the
software vendor is able to release a security
patch to address the vulnerability.
Typically, when zero day vulnerabilities
emerge, the initial focus for organisations is
4
© Microsoft Corporation. All rights reserved.
Security Patching and the ISM
ISM Patching Controls
vulnerability information and software
updates are known and that these channels of
communication are reliable.
A number of controls within the ISM
encourage a risk-based conversation within
government agency’s IT environment about
the impact of security patching, instead of
simply patching as a mechanical exercise. The
intent behind these controls is to promote a
security risk-based culture where operational
staff, management and executives are all
making and supporting risk-based decisions.
This will assist in protecting the
confidentiality, integrity and availability of
business services and agency’s ability to
implement the policies of the government.
‘Extreme Risk’ Vulnerabilities
ASD recommends that a number of factors be
considered when conducting a risk
assessment for system vulnerabilities,
including the value and exposure of assets or
their history of being attacked or impacted.
The following are examples of an ‘Extreme
Risk’:
• The vulnerability allows remote code
execution.
• Critical business systems/information
affected.
• Exploits exist and are in use.
• System is Internet connected with no
mitigating controls in place (Australian
Signals Directorate, 2013).
Typically, Commercial off the Shelf (COTS)
software product vendors address security
vulnerabilities identified in their products by
issuing security patches. Vendors do not
generally issue updates for software outside
of the product support lifecycle. Ongoing use
of unmaintained software poses a risk to the
security of the environment. This risk needs to
be managed. The Information Security
Manual (ISM Control 0304) indicates that a
security risk assessment is to be carried out
against software or ICT equipment that is no
longer supported by the vendor, so that the
risk of ongoing use is understood. Where
security patches are not available, ISM Control
0941 indicates that the risk must be managed
(recommendations are detailed in the
control).
To minimise the risk of an extended window
of vulnerability, ISM Control 0297 suggests
that all relevant sources for patch release
information should be monitored. Step
guidance provided further in the document
suggests some tips on how patch release
information should be monitored. It is
important that authoritative sources of
Based on ISM Control 1144, all extreme risk
patches must be deployed within 2-days.
Patching Timeframes
The ISM contains several controls that focus
on mitigating the adverse impact caused by
the exploitation of vulnerabilities. The intent
of the ISM controls are to assist agencies to
strengthen their security basics. Timing is
essential when mitigating vulnerabilities that
attackers are actively seeking to exploit.
Closing the window of vulnerability is one of
the most effective ways agencies can
safeguard their environments against
attackers. ISM control 1144 requires all
“extreme risk” patches be deployed within 2days of release or an appropriate mitigation
be put in place to address the risk.
Determining which patches pose an extreme
5
© Microsoft Corporation. All rights reserved.
level of risk to the business of the agency is
critical to the security of the service.
the product, bringing security features which
cannot be implemented by issuing security
updates. ISM Controls 1348 and 1349 thus
require agencies to deploy new versions of
products as soon as they are released, with
products addressing ‘Extreme risks’ deployed
with the 2-day timeframe.
The Microsoft Security Intelligence Report
(Vol. 15) has published data on the timing of a
remote code execution vulnerabilities first
detected exploitation, relative to the release
of a software update to address the
vulnerability. This data shows a distinct
downward trend in exploited remote code
execution vulnerabilities over recent years.
However, of particular interest is the
increasing proportion of vulnerabilities that
are already publicly exploited before any
software update is available to address the
vulnerability. This proportional rise in zeroday vulnerabilities suggests that the
timeliness of software update deployment is a
critical factor in its effectiveness to improve
security.
Devices and firmware are exposed to the
same risk as computer operating systems and
applications, therefore any known
vulnerabilities need to be addressed to
prevent their compromise. The recommended
ISM Controls 1350 and 1351 focus on the
patching of drivers and device firmware and
suggests that agencies should mitigate
‘Extreme Risk’ vulnerabilities within 2 days.
Figure 2: Microsoft remote code execution CVEs, 20062013, by timing of first known exploit
Deployment of software updates which
address ‘extreme’ risk vulnerabilities is a high
priority activity, providing an effective
mitigation to serious security risks.
Deployment of security updates which do not
address extreme risk vulnerabilities is still an
important activity, as there is still a risk that
the exploit could have impact on the business.
ISM control 0940 requires that “agencies must
apply all security patches as soon as possible”.
Commonly new products not only add new
features, but also address a number of
security flaws with the security foundations of
6
© Microsoft Corporation. All rights reserved.
ISM Compliance and Reporting
those duties (Australian National Audit Office,
n.d.).
The PSPF Mandatory Requirement GOV-7
requires agencies to “undertake an annual
security assessment against the mandatory
requirements detailed within the PSPF, and
report their compliance with the mandatory
requirements to the relevant portfolio
Minister”. ASD’s Top 4 Strategies to Mitigate
Targeted Cyber Intrusions, including all the
security patch management controls, are
required by the PSPF, under mandatory
requirement INFOSEC 4. It requires agencies
to capture their compliance to the Top 4,
including patching applications and operating
systems, reporting to the relevant portfolio
Minister(s), the Secretary of the AttorneyGeneral’s Department and the AuditorGeneral of ANAO, accompanied by rationale
for non-compliance.
ANAO performs regular audits of government
agencies against the ISM Top 4 strategies,
including all the ISM controls referring to
patch management. ANAO also publishes
findings and provides recommendations on
how the agencies can improve their security
posture and achieve improved compliance
with the defined controls.
Documented Non-Compliance
The ISM acknowledges that it is not always
possible for all agencies to follow all the
defined patch management related controls,
given unique business situations, technology
compatibility issues, or even occasional
resourcing issues. There are a number of
controls that provide guidance on
‘documented non-compliance’ and what the
ISM requires to be recorded in such
situations.
Documentation Obligations
Documenting key progress, decisions and
interactions in an operational environment is
a part of good operational practices. The ISM
has also dedicated a number of controls
requiring that government agencies use a
security patch management approach that is
planned and structured. The final step is the
documentation of the method into a number
of artefacts including Patch Management
Strategy (ISM Control 1143) which is
addressed by having a comprehensive
Security Patch Management Capability
Improvement Plan and Security patch
management process and procedures (ISM
Control 0303).
ISM Control 0001 identifies the authority for
controls – “For any control where the
authority field is 'ASD', system owners must
seek and be granted approval for noncompliance from the Director ASD in
consultation with their accreditation
authority”. All other controls typically require
the agency’s Accreditation Authority (AA) to
oversee compliance and grant noncompliance (ISM Control 1061).
In certain circumstances, it is not possible to
deploy patches as per the controls specified in
the ISM and as a result, risks within the
agency’s environment may be un-mitigated.
To assist with understanding the reasons
behind the situation to the various response
teams within the agency, it is important to
document non-compliance.
Compliance Checking
The Auditor-General is responsible, under the
Auditor-General Act 1997, for providing
auditing services to Parliament and public
sector entities and is supported by the
Australian National Audit Office (ANAO) in
ASD mandates a requirement for agencies to
provide reports of non-compliance to ASD
7
© Microsoft Corporation. All rights reserved.
(ISM Control 0713). The purpose of notifying
authorities to grant non-compliance is:
As the justification for non-compliance may
change, the risk environment will continue to
evolve over time. It is thus important that the
System Owner update their approval for noncompliance at least every two years. This
allows the appropriate authority to have any
decision to grant non-compliance either
reaffirmed or rejected if the justification or
residual security risk is no longer acceptable
(ISM Control 0876).
• To assist capturing an accurate picture of
the state of information security across
government
• To help inform incident response
• To use as feedback for the ongoing
refinement of the ISM.
Documentation is submitted as required by
ISM Control 0710 to the Accreditation
Authority to declare non-compliance. These
submissions include:
• A justification for non-compliance
• A security risk assessment
• The alternative mitigations to be
implemented.
8
© Microsoft Corporation. All rights reserved.
Enterprise Patch Management Approach
Where are we now?
Microsoft has developed an approach to
implement a security patch management
capability within both the private and
government sectors.
Step 1.
The approach is delivered with the following
3 phases:
Where are
we now?
1. Develop a
baseline of
current patch
capability
Where do
we want to
be?
2. Develop a
security patch
management
policy & process
How do we
get there?
3. Implement
and review a
patch
management
improvement
program
Baseline current environment:
a. People: Identify the policy
sponsor, capability owner and
stakeholders
b. Process: Identify the current
patching activities, responsible
roles, and patch management
process performance
c. Technology: Identify the
deployment tools/architecture
and technical mitigations
Where do we want to be?
Step 2.
Step 3.
Figure 3: Approach Phases
Develop security patch
management policy
Develop security patch
management process
How do we get there?
The phases focus on understand the agency’s
current state and contrasting that against the
desired state required to meet the agency’s
security obligations. This assists with driving
the creation of the required policy and
process direction, which would be leveraged
in remediating the agency’s approach to
patch management.
Step 4.
Step 5.
Step 6.
Step 7.
This practical approach is constructed in
eight steps that flow from understanding
current practices and context, to developing
a patch management policy and process, to
ultimately implementing an improvement
program and reviewing the outcomes.
Develop a Capability
Implementation Plan
Configure the toolsets to support
the process
Implement new process and
measure performance
Perform a Post Implementation
Review for Continual Service
Improvement.
The remainder of this section describes each
of these steps in further detail and is
accompanied by supporting information in
the appendices. The sections also provide
practical checklists for the implementation of
the capability.
9
© Microsoft Corporation. All rights reserved.
10
© Microsoft Corporation. All rights reserved.
1
Step 1: Baseline current
capability
 Are agency management supportive of
security initiatives?
 Are patching requirements understood
during the ‘requirements gathering’ phase
of a system being designed?
One of the most important activities
when taking on an improvement
exercise is to have an opportunity to
review and document the current practices.
This not only gives the agency an opportunity
to assess their internal capability, but also
provides a starting point for any
improvement activity in the environment.
The following checklist is broken into core
areas and can assist with a review process.
 Are new systems designed so they can be
easily patched during operations? Is the
operations team consulted during the
design phase?
 Is IT Security able to enforce the security
initiative?
People
Process
Agencies should consider the following
people elements of the extant approach:
 What are the detailed, end-to-end
activities performed currently within the
environment to deploy a software update
released by a vendor? Who performs
them and how are they sequenced?
 Who owns the security patch
management policy within the agency?
Where is it documented and how is it
accessed?
How do the following Service Management
functions work to enable and effective patch
management approach:
 Who owns the security patch
management process within the agency?
Where is it documented and how is it
accessed?
 Change Management - Including
provision for Standard Changes
relating to security patching
 Which personnel are performing security
patching activities within the agency? Has
process training and policy awareness
been provided?
 Release & Deployment Management With relation to regular deployment
windows available for patching
 What are the people’s impressions about
how effective the process is?
 Asset & Configuration Management Cataloguing all software and hardware
assets that may require patching and
the patch state of each
Culture
Agencies should also assess their culture and
baseline patterns of behaviours and cultural
norms. This will assist with diagnosing any
issues that may need to be addressed for a
successful security patch management
capability.
 Incident Management - How well are
security patch related incidents
handled?
11
© Microsoft Corporation. All rights reserved.
 How well is the current process
performing? What is the current
security vulnerability window, or the
turn-around time from patch release
to a compliant state? How reliable are
the measurements?
 What can be automated? How much of
the current practices have already been
automated?
 How well is non-compliance captured
and understood?
 How much effort is required to follow
the end-to-end process to deploy
patches?
 Number of actors responsible for the
various activities with the process and
the number of touch-points with the
various teams.
 Is there a process to deploy out-ofband or extreme risk patches within
the organisation? Does it meet a 2-day
turnaround?
Technology
 What are the deployment
tools/procedures currently in use?
 How accurate is the inventory?
 Which are the simple and complex
workloads for deployment?
 Which deployment tools apply to which
systems?
 Are the deployment tools and systems
suitably designed to support the timely
distribution and deployment of patches?
 Are the deployment tools in a healthy
state?
 How much effort is required to deploy
software updates using the toolsets?
12
© Microsoft Corporation. All rights reserved.
2
Step 2: Develop a Security
Patch Management Policy
The security patch management policy
statements are a way of communicating
what & why security patching should be
undertaken within the agency. It should also
include information on how the activities
relate to the agency’s security obligations
and business objectives.
The purpose of the security patch
management policy is to communicate
the intent of security patch
management in the agency, and will define
the principals that guide its implementation
throughout the agency.
All security patch management policies
should be clearly articulated and widely
communicated to both the employees of the
agency as well as any contractors or service
providers.
The security patch management policy
statements should focus on:
 Roles & Responsibilities - Clearly
articulating accountable roles and
incorporating information security into
the agency’s broader risk management
practices.
Having an ability to enforce the IT Security
Policies is just as important as having them in
the first place. In order to be successful in its
enforcement, having executive and senior
management buy-in for these policies is
critical. Ensuring that senior managers and
decision makers are fully aware of security
risks and the need for patching in a timely
manner is critical in facilitating the
availability of appropriate resource.
 Timeframes – What are the timeframes
for implement the patching policies? How
can the security patching policies be
implemented across the agency: Big-bang
or phased? How and why a risk based
approach can be implemented to identify
the security patching phases?
 Identify any security patch management
related policy statements in the agency’s
security manual (clarify if required).
 Risk Based Decision Making – How a risk
based decision making regime be
implemented? What Risk matrices are
available within the agency?
 Create security patch management policy
statements (either as part of an existing IT
Security Policy or as a separate
document). The appropriate agency
Accreditation Authority (Australian Signals
Directorate, 2014) must sign off the
security patch management policies
before circulation.
 Recording – What are the agency
recording obligations as defined in the
ISM and the Archives Act 1983
(Commonwealth Consolidated Acts,
1983)? What level of security is required
around patching information and how will
this be achieved?
The security patch management policy
statements should be reviewed and updated
annually to cater for changes in the business
and external circumstances, such as new
Information Security Manuals and guidelines,
or changes to the global security threat
landscape.
 Reporting – What reporting is required to
measure the success of the policy
implementation? How will the data be
obtained and processed?
13
© Microsoft Corporation. All rights reserved.
3
Step 3: Develop a Security
Patch Management Process
comprehensive security patch management
process is essential in mitigating these issues.
There are a number essential elements in a
security patch management process.
Security patch management is the
process of controlling the deployment
and maintenance of security patches
in the organisation. The process
improves system security, while helping
maintain operational efficiency and
effectiveness, and stability of the technology.
The process should contain the components
essential to the implementation of the
capability within the individual agencies. This
document includes an example four-phased
security patch management process, which
can be used as a basis for forming an
agencies process. The section below
describes the 4 phases of the process.
Research shows that 80% of all issues in IT
operational environments are related to
people and process (Scott, n.d.). Having a
Figure 4: Example Security Patch Management Process
14
© Microsoft Corporation. All rights reserved.
Assess
Identify
The Assess phase focuses on bringing a
system under process compliance (also
referred to as ‘on-boarding’ within the
document). The main purpose of this phase is
to take a system through a checklist of
readiness activities so the various teams
responsible for its patching can prepare for
ongoing patching operations in alignment
with the ISM requirements.
The Identify phase in the example process
focuses on the identification of vulnerabilities
for a system. Security vulnerability
identification can be pro-active or reactive in
nature. Depending on the system and the
potential impact of the vulnerability, the
software vendor may use:
• A regular security patch release cycle, or
• An irregular (out-of-band) security patch
release.
A system has been brought under the
security patch management process, or onboarded once the following have been
completed:
Agencies must use the information collected
within their inventories to identify which
systems require patching, in what timeframe,
and where to source relevant vulnerability
and patch information. ISM control 1144
describes an overall response time between
patch release and patch deployment to be
two days for ‘Extreme’ risk patches, making it
critical to make sure that the notification of a
patch release is as immediate and credible as
possible for the assessment to take place.
 Current state of patching activities is
identified
 Risks associated with on-boarding and
ongoing patching activities have been
identified, and mitigations have been put
in place
 Vendor information has been identified
Make sure that there is more than one
person subscribed to the vendor patch
notifications, in the event notifications arrive
when the primary person is unavailable.
 Test, implementation, and back-out
procedures have been articulated
 The above information and other systemspecific information (see section 1.1 of
Appendix V – Security Patch Management
Plan Document Outline) has been
compiled into a document artefact
(security patch management plan).
Occasionally, vendors release security
updates to address vulnerabilities outside of
their standard release cycle. This generally
occurs when a discovered vulnerability is
already being exploited in the wild (zero day)
or is considered critical enough to warrant
the urgent release of the patch mid-cycle.
This phase is intended to be run once per
system and does not need to be executed for
each patch release applicable to the system.
15
© Microsoft Corporation. All rights reserved.
Evaluate & Plan
Effectively evaluating the patches released
will assist with the planning activities:
The Evaluate & Plan phase assesses both the
impact of not deploying the patches (leaving
the vulnerability exposed), and the risks
associated with the deployment of the
patches to the production environment.
Deployment may, but not certainly,
necessitate an outage to a service, depending
on a number of factors such as design of the
service. Each patch should be assessed
individually based on the systems impacted
and dependencies on other related patches.
Each patch should be assessed for the:
• Determining required outage
• Identifying risks, issues and constraints
• Building the release plan.
Determining the required outage requires an
understanding of the impact to the business
and IT services and the agreed Service Level
Agreements (SLAs). An SLA is usually specific
to a system or a service. Other constraints
such as network capacity, business
requirements and security requirements
should also be considered at this stage.
• Risk profile of the system being patched
(based on historical patches)
• Impact to the business, as outlined by
PSPF (Protective Security Policy
Committee Attorney-General's
Department, 2014).
Building the patch release plan should take
into account the:
 Scripts, tools and procedures followed by
the system administrators to build the
release package
Using the outcome from the above criteria
and the risk management framework within
the agency, a risk rating for the patch should
be created.
 What level of testing is suitable for the
system?
Deploy
It is important to understand the risk of
delaying deployment of patches, or indeed
not deploying them at all: What would be the
business impact of confidentiality, integrity
or availability of the system being
compromise? The propensity for compromise
will only increase in the days following the
release of a security update for a
vulnerability. This should be a key input into
the agency’s decision-making.
The risk rating of the vulnerability may
influence the deployment timeframe for the
patch. The testing outcome and deployment
timeframes will assist with the identification
of the release window for the patching cycle.
In situations where the testing has identified
outstanding defects, there may be sufficient
risk posed by the vulnerability to continue
with deployment.
The goal of this phase of the process is to
confirm that approved security patches have
been successfully deployed in the production
environment while meeting all the Service
Level Agreements (SLAs) negotiated with the
business and the required level of
compliance can be demonstrated. This phase
is completed through the execution of
technical deployment procedures for the
applicable systems.
16
© Microsoft Corporation. All rights reserved.
4
Step 4: Develop a Capability
Implementation Plan
task, success can be achieved by addressing
the requirement in a phased approach.
Priority should be given to systems with a
high risk profile and they should be brought
under process control before lower risk
systems. There are a number of components
essential to an effective Capability
Implementation Plan:
Implementing the agency’s security
patch management Policy must be a
planned activity. Agencies with large
and complex environments should consider a
phased approach to make implementation
more manageable.
 Develop a strong business case
There are various criteria that can be used to
identify which systems within your
environment should be prioritised. This must
be a risk-based decision; systems with a
higher risk profile are the highest priority.
Here are some of the things that may be
considered while prioritising systems:
 Define a clear end-state
 Define the work packages, schedule, and
deliverables out of the plan/project
 Stakeholder management plan
 Communications plan
• Value of the data – what data
classification will have the most adverse
impact if compromised? How do we
secure that first?
• Business critical services – what services
are on the critical path for the agency’s
operation and its ability to meet its
objectives? What systems need to be kept
secure so the business critical services are
not compromised?
• Minimizing attack vector – What are the
biggest attack vectors within the
organisation? (e.g. operating systems and
applications on end user desktops, IT
admin desktops, server fleet, etc.)
• Industry exploitation patterns – Major
security reports such as Microsoft Security
Intelligence Report (Microsoft, 2015).
 Organisational change management plan
(discussed further on in the document).
As part of the implementation plan, also
discuss:
 Documents and templates – What
documents and templates are required to
support the implementation of the
security patch management policy? Do
they exist? How will they be developed?
 Tools – What tools and techniques are
available within the agency/partners/
service providers that can be leveraged to
support the security patch management
Policy?
Most agencies have a combination of
Microsoft and other vendor technologies in
their environments. While patching a
complete environment can be a daunting
It is important that the security patch
management policy owner is also supportive
of the Capability Implementation Plan and is
involved in the development of it.
17
© Microsoft Corporation. All rights reserved.
5
Step 5: Configure the
Technology
• Ability to prioritize the distribution of
particular software updates based on
associated risk.
• Ability to support sequenced installation,
or multiple deployment windows to assist
with complex workloads and maintaining
service availability.
Having a robust and streamlined
security patch management process
gives an agency the ability to respond
promptly to security risks presented to the
organisation. Technology is the important
enabler of organisational policies, and should
support the outcomes the organisation is
seeking to achieve. The effectiveness of the
patch deployment toolset and associated
automation has a direct impact on software
update deployment timeframes, and
consequently, on the security posture of the
organisation.
Consider the following checklist when
assessing the software update management
tools and supporting network infrastructure:
 Can the download/importation of
applicable updates be optimised?
 Does network bandwidth and distribution
point hierarchy adequately support the
security goals?
To improve the deployment performance of
software updates, many activities can be
automated, including using appropriate
deployment toolsets to download, distribute,
and apply security updates. It is important to
make the most of available features of
deployment tools to make a difference to the
swiftness, and therefore effectiveness of the
deployment efforts.
 Can/should the update distribution
priority align with the risk level of the
software update?
 Which complex and labour intensive
systems with availability requirements
need to have the deployment sequence
automated?
The selection, design, and configuration of a
software update management toolset and
supporting network infrastructure are all
critical to the ability of the organisation to
maintain secure systems, and achieve
prompt deployment timeframes. Factors to
consider in the design and configuration of a
software update management toolsets and
supporting infrastructure include:
• Ability to accurately determine applicable
updates.
• Ability to download/import software
updates promptly.
• Ability to stage software updates at
locations to optimize WAN utilization.
• Ability to distribute software updates
promptly, to support the goals of the
applicable policies.
18
© Microsoft Corporation. All rights reserved.
6
7
Step 6: Implement Process and
Measure Process Performance
Step 7: Conduct PostImplementation Review
The first step of the approach
(Baseline current environment)
focuses on reviewing the current
people, process and technology practices.
This phase is an opportunity to measure the
improvements that have been made after
having implemented a streamlined process,
clear roles and responsibilities, and the
required technology tuning.
After each cycle of improvements
made to the people, process or
technology components of the
solution, it is valuable to conduct a PostImplementation Review (PIR). This would
enable all stakeholders to discuss the good
and the bad aspects of the process. Sharing
how different teams may have tackled the
same challenges can be a useful exercise,
leveraging cross-team collaboration.
Upon implementation of the new process, a
post-implementation baseline would assist
with the articulation of the project value
realisation. Consider the following areas
when measuring the performance of the new
process:
The security patch management process
owner should chair the sessions. It is
essential to document all the opportunities
for improvement and the process owner
should feed that into the security patch
management’s continual improvement
exercise.
 How well is the new process performing
compared to the previous one?
In some cases, if there are too many teams
that are involved in the process execution, it
may be more productive if the process owner
meets with each of the teams individually.
This will not only enable the process owner
to discuss operations in a lot more detail, but
would make sure that the time of the
attendees is used appropriately. One-on-one
meetings also provide a good opportunity to
discuss challenges with inter-team
communication, which is a key success
criterion.
 What is reduction in the Security
Vulnerability Window?
 How well did all the teams work together
to achieve the desired outcomes? Are
there areas where process improvement
can be made or a process re-design is
required?
 What is the effort required to perform all
the activities required to patch each
system? This information will assist in
identifying which are the labour intensive
activities, which are prime candidates for
automation.
The PIR sessions are best run straight after
the process execution, so feedback can be
freshly captured. It is important to answer
questions such as:
• Are the communications working
effectively?
• Were there any incidents caused?
• What are the potential future
improvements?
19
© Microsoft Corporation. All rights reserved.
Developing a Security Culture
Embedding the Security Patch
Management Capability
•
•
•
•
“Most change initiatives fail because there is
insufficient focus on the activities and
practices that need to be carried out to embed
change into the organisational culture”
(Ferris, 2011).
Balanced Diversity Model
The Deming Cycle (PDCA)
Kanter, Stein and Jick’s 10 commandments
Nadler’s 12 steps.
The phased approach within the capability
implementation plan can be scoped and
prioritised based on the appetite for change
of the system owners as well as the security
risk profiles of their systems.
A well designed process that no one follows
produces no improvement in an agency’s
security posture. A well designed toolset or
capability that the right people aren’t
consuming does not bring the intended value
and creates a missed opportunity for the
investment. On the contrary, it results in a net
decrease in value of the investment due a
false sense of security (as management
assume that the new toolset or capability has
been adopted) while adoption related issues
continue to emerge. It is crucial to build a
bridge between the new process and
technology introduced and confirm that all
stakeholders are supporting and adopting the
change to realise the benefit to the agency.
Whichever change model the agency chooses
to deploy, there are a number of common
areas that need to be addressed. This section
focuses on some of the questions that need to
be resolved during implementation.
Why change?
It is important for all staff and managers to
understand the benefits of a robust security
patching capability to the agency’s security
fabric as well as the agency’s obligations
under the ISM and why the change in process
is required. The following are a number of
activities that aim at increasing awareness of
new process and change to activities they
would be performing:
Agencies need to assess how the newly
developed security patch management
capability is to be adopted into the culture of
the organisation. This requires people to
adopt the new practices and understand how
these activities will help them and the agency
achieve the required level of security and
desired business outcomes.
 Ensure all managers and team leaders
within IT and Security are aware of the
need for the new process and how their
will contribute to the successful
implementation of the process.
 Ensure senior management publically
communicate their support of the initiative
to improve the security capability, as well
as acknowledge compliance obligations
and how they align to the agency’s
business outcomes.
To enhance the probability of successful
adoption of new work practices, behaviours
and roles and responsibilities, agencies can
apply a number of different Organisational
Change Management models including:
• PROCI ADKAR Change Management Model
• Kotter’s 8-Step Change Model
 Communicate the need for the security
patch management process and the
20
© Microsoft Corporation. All rights reserved.
behavioural changes required, widely,
often and in different ways. Based on each
employee’s understanding of the current
state, his or her buy-in into the change will
be different and would benefit from
tailored communications.
intended benefits and the staff have been
able to absorb the training.
Is the change being implemented
successfully?
It is important to get a feel from the roles
involved with regards to the effectiveness of
the new process and how well it is
performing.
What does the change actually
mean?
For agency staff to have buy-in into the new
security patch management process, their
awareness must lead to a desire to participate
in the implementation of the new process.
 Activity execution is well understood and
continual service improvement is in place
 Seek direct feedback from stakeholders
and make appropriate changes to the new
process and procedures to facilitate
smoother operations.
Here is a list of activities that can assist:
 Clearly understand the changes required
for each individual. Be able to demonstrate
the advantage of the new or changing
activities.
 As required, continue to provide technical,
process and other required support to the
operations teams.
 Where appropriate, notify the staff of the
incentives of successful embedding of the
security patch management process and
how they will be individually rewarded for
contributing to the change (e.g. public
recognition, additional training, career
development opportunity, and being part
of an important change).
Recognition of success
Once the process implementation is
underway within the agency, and the agency
is successfully able to start on-boarding
critical workloads, it is crucial that there is
adequate acknowledgement of the
achievement as well as an ongoing emphasis
of the importance of what has been achieved.
What is required to change?
 Send direct feedback from senior
executives as well as the project sponsor
to all staff acknowledging achievements.
Having the appropriate level of training
provided to all the impacted roles is an
important part of implementing the change.
 Prepare training packages to make sure
that all impacted staff are aware of the
new process’s business value, the change
in activities for their roles, as well as the
operation of any new technologies
introduced into the environment.
 Have direct managers provide public
feedback thanking all team members for
the effort provided.
 Continue to reinforce the importance of
the achievement and directly link it to the
agency’s goal.
 Regularly check to make sure that process
and technology training has had the
21
© Microsoft Corporation. All rights reserved.
Security Patch Management Detailed StepGuidance
This section of the document describes some
of the activities that may be conducted during
the four phases of the example security patch
management process which was constructed
in step 4 of the security patch management
approach. The intent of the section is to
provide optimised and streamlined example
guidance that each of the agencies can tailor
to the operational requirements of their
organisations, as per their agency’s IT Security
Policy. Agencies should consider how they
would achieve the intent of the procedures
and adapt the procedures to their agency.
The section below provides examples of what
the step guidance for the various process
steps may look like.
Figure 5: Security Patch Management Process
22
© Microsoft Corporation. All rights reserved.
1. Assess
This phase focuses on bringing the system(s) under the control of the security patch management
process and is essentially an “on-boarding” phase.
The goal of this phase is to:
• Define service and system specific information
• Develop Risk Impact Matrix
• Complete the security patch management plan.
1.1 Service On-boarding
Figure 6: 1.1 Service On-boarding Activity Flow Diagram
1.1.1 Define Service Attributes
For each new service, identify:
Performed by – System Manager
 Technical Service Owner accountable for
the service delivery.
When technical services are transitioning
under the management of the security patch
management process (either as part of
transitioning into operations or bringing an
existing production system under process
compliance), identify and document all the
systems that comprise the stack. The
following steps will make sure that each
system identified within the service has been
“on-boarded”. To make sure that Service
Level Agreements can be met, make sure that
the outage requirements (if any) of all the
individual systems sequenced in such a way as
to minimise the impact on the availability of
the service.
 List of systems that make up the service.
 Relevant service level requirements,
including availability requirements for the
service.
1.1.2 Define System Attributes
Performed by – System Manager
On-boarded system can be either part of a
service or as a stand-alone system (potentially
providing a technical service in itself). For
each of the systems being on-boarded,
identify the following attributes:
23
 System Name (and service name if the
system is inherently a part of a Technical
Service)
© Microsoft Corporation. All rights reserved.
 System Owner – The branch head2 that is
accountable for day-to-day operations of
the system.
 Configuration Items (CIs) included within
the scope of the system. Update the
agency’s asset and configuration
management database as the information
is collected.
 System Manager – The Director2 or an
appropriate delegate responsible for
operations of the system
Each systems within the agency should have a
risk profile created. This would include
attributes such as:
 System Administration Team2 – The team
responsible for day-to-day operational
activities for the system
 Business teams using the system and the
business impact of the system not being
available
 System Build Team2 (if appropriate) the
team that will be responsible for building
the deployment package if the patches are
being deployed manually.
 The operating systems and applications
that underpin the system – including their
risk profiles
 System Test Team2 will develop the test
plan/strategy and will execute the test
cases.
 The frequency of security patch releases
for the system and how to consume the
security notifications
 System Business Verification Team2 is
responsible for validating the production
readiness of the system and dependent
business services post patch installation
 Distribution and deployment timeframes
required for the security patches relating
to the system using the designated patch
deployment method.
 System Deployment Team2 is responsible
for installing/deploying the
patches/package to the production
environment
 System Monitoring Team2 monitors the
deployment and compliance of patches
within the agency’s environment
 System Vendor(s) – including method of
communicating patches and release
schedule
 System Change Management Team2
These are recommended performing roles
(functions) only and may not be actual separate
2
24
teams/roles. Smaller agencies may have a single
team/roles performing multiple set of activities.
© Microsoft Corporation. All rights reserved.
1.1.3 Define Impact Matrix
potential risks that may cause the agency to
not deploy patches in a timely manner to all
the required agency assets.
Performed by – System Manager
This activity pre-calculates the impact of a
system compromise and likelihood for patches
released for this system for later use in risk
assessment.
Use the agency’s prescribed Risk Management
framework to capture the risk. If there is no
framework available, refer to ISO 31000:2009
for further information.
Calculating the right risk rating is important
for the correct prioritization of the patches.
During operations, there is often insufficient
time to collect all the information required to
calculate the impact to the business of the
agency. Pre-digesting some of this
information can help expedite operational
decision making and assist with meeting the
ISM’s 2-day turnaround timeframe for
‘extreme risk’ patches.
1.1.5 Suggest Mitigations & Actions
Performed by – System Manager
For each of the identified risks, it is important
that there be an appropriate response to
make sure that there is no unnecessary
impact to the agency’s patching activities.
Ensure that the treatments are identified and
agreed as part of on-boarding the
service/system. This will assist with making
sure that there is an opportunity to plan
upfront for resourcing requirements as well as
getting management’s support to prioritise
patching activities should there be competing
demands for resources.
In order to calculate the impact of deploying a
patch to a system, it is important to
understand the system’s purpose and the
impact on the agency’s business if the system
is compromised. Refer to section Appendix I –
Assessing System Risk for further information
on assessing risk.
1.1.6 Compile Security Patch Management
Plan
1.1.4 Identify Risks to Patching
Performed by – System Manager
Performed by – System Manager
The system patch management plan captures
all the information collected during the onboarding of the service or system, and acts as
a concise, service-specific reference
document for driving the process. The plan
should be published and accessible to all the
roles involved in patching the system. A
document outline for the security patch
management Plan can be found in Appendix V
– Security Patch Management Plan Document
Outline.
An agency’s IT operations environment can be
very challenging and there are always many
things happening at the same time. The
volatility of the environment often requires
the operational teams to be agile and divert
resources to high priority tasks as they come
along. It is however important that high value
activities such as security patching do not get
re-prioritised and have sufficient support at all
times.
This step of the process requires the System
Manager to run workshops to gather all of the
25
© Microsoft Corporation. All rights reserved.
2. Identify
The Identify phase focuses on identifying which patches need to be deployed to the agency’s
environment.
The goal of this phase is to:
• Determine relevance of patches to the agency’s environment
• Categorise patch priority, influencing the timeframe required to deploy.
2.1 Identify and Prioritise
Figure 7: 2.1 Identify and Prioritise Patch Activity Flow Diagram
2.1.1 Assess Released Patches
Performed by – System Manager
Ensure that there is a clear communication
channel between the vendor who releases the
patches and the agency. Subscribe to a variety
of methods including:
• email subscriptions,
• RSS feeds, and
• Websites.
patches relating to the SOE operating systems
and applications; the database platform team
should be assessing any database patches;
etc. Understanding patch dependencies and
the recommended sequence of installation
(usually published by vendors) will make sure
that patch deployment is successful and have
the desired mitigation.
There are three primary release types for
patches:
Always make sure that there are multiple
people monitoring the vendor alerts in case
the primary person is not available.
• Scheduled patch release – A number of
vendors publish schedules for the release
of their patches. These schedules are
published in advance, and gives agencies
an opportunity to negotiate a preapproved release schedule with their IT
and Business areas. Having pre-approved
windows enable agencies in using a
Each patch should be assessed by the system
administrator for its applicability to the
system. For example, the team responsible for
the managing the Standard Operating
Environment(SOE) should be assessing all
26
© Microsoft Corporation. All rights reserved.
Centralised vs Distributed Model for Patch
Selection
‘Standard Change’ option within the
Department’s Change Management
process, removing a number of
administrative overheads.
• Unscheduled patch release – A number of
vendors do not have a standard schedule
for when they release their patches and as
a result, release windows cannot be preassigned or pre-approved for their
deployment.
• Emergency/Out of Band patch release –
Occasionally, patches are released which
address vulnerabilities that are known to
be actively exploited. These patches are
considered too urgent to wait for the
scheduled release.
There are two options for approaching patch
selection within an agency. This section
discusses pros and cons of each of them.
Agencies may choose to use either of the
centralised or de-centralised patch selection
models, including a combination where it
makes sense to do it. Whatever the model
used, it is important to make sure that roles
and responsibilities are agreed and
documented.
Distributed Patch Selection Model
Each team is responsible for monitoring the releases of all the
security patches relating to the products they maintain within
the environment.
Pros



Cons




Patch deployment decisions are more likely to be
technically sound as they are being made by the
technology SMEs.
This is a scalable solutions for agencies with larger
IT environments as there is no ‘single point of
failure’ for patch selection and each team can
select their patches in parallel, improving the
efficiency of patch selection process.
Time investment is significantly less per team as
the workload is distributed.
Cross-system impact assessment identification
requires the various dependent stakeholder teams
to communicate the impact between themselves,
potentially increasing time to deploy.
Application of agency’s risk management
principals consistently across all technical teams
involved in patch selection is more difficult and
requires additional quality assurance.
Every change made to the process and supporting
documentation requires all teams to train.
Governance, reporting and compliance checking is
a significant effort investment.
Centralised Patch Selection Model
A single IT Security team is responsible for monitoring
the releases of all the security patches relating to the
products deployed within the environment.







Decisions are more likely to be consistent as they are
being made by the same team.
Centralised understanding of all the patches released
allows better impact assessment (including
identifying cross system patch dependencies).
One team requires training and always has the
agency’s security as the primary focus.
Governance, reporting and compliance checking is
controlled centrally and much easier to improve.
As this team is not the technology SME, critical
patches may not be correctly assessed for
deployment.
Solution not scalable for large number of
technologies within the agency as one team may not
know about all technologies deployed, their
interdependencies and operational specifics.
Significant time investment by the team.
Table 1: Distributed vs Centralised Patch Selection Model - Pros and Cons
27
© Microsoft Corporation. All rights reserved.
2.2 Validate priority
Framework or as documented in the system’s
security patch management plan) to assess
the risk of the vulnerability to the agency’s
environment. Some additional guidance has
been put forward in Appendix I – Assessing
System Risk.
Performed by – System Manager
It is crucial that agencies assess each patch to
determine the deployment priority for the
impacted systems. A typical risk-based
approach for assessing likelihood and impact
is the best way to identify and validate
deployment priority.
It is also important to capture the mitigations
that exist within the agency’s IT environment
which may either reduce the likelihood of the
vulnerability being exploited or the Impact
should it be exploited, thus reducing the
overall risk. This would not only represent a
more accurate threat assessment, but would
also provide greater focus on vulnerabilities
that are of ‘extreme risk’. Also refer to section
Security Patching and the ISM earlier in this
document.
A thorough risk-based approach requires
agencies to understand:
Likelihood – The probability for the
vulnerability to be exploited in the near term.
Impact –The impact to the agency’s business
functions if the system was compromised
(financial, labour, reputational, etc.)
Use the agency’s Risk Calculation table (as
part of the agency’s Risk Management
28
© Microsoft Corporation. All rights reserved.
3. Evaluate & Plan
Goals of the Evaluate and Plan phase include making a decision whether or not to deploy an update,
determining deployment requirements, and testing to confirm that it does not compromise the
stability of business-critical systems and applications. The intent of this phase is to:
•
•
•
•
•
•
Determine the appropriate response
Obtain authorisation for deployment
Review change request(s)
Plan the release
Identify key issues and constrains; and
Build and test the release.
3.1 Authorise Change
Figure 8: 3.1 Authorise Change Activity Flow Diagram
Standard Change as the mechanism typically
used for activities like patching. Use of
Standard Changes may assist with:
3.1.1 Raise Standard Change
Performed by – System Manager
The agency’s change management processes
usually identify which change record type is
the best one to use in the various
circumstances. A Standard Change (OGC,
2011) gives the operations teams the ability to
promote the patches through the various
environments and into the production
requirements within minimum delay. Industry
frameworks including ITIL® and Microsoft
Operational Framework (MOF) identify
 Removing the additional submission lead
time requirement
 Increasing focus on critical documentation.
Standard changes are optimal for proven
cases, where the risk of failure is low as the
change has been proven successful multiple
times.
29
Standard Changes typically do not require
submission to the Change Advisory Board
© Microsoft Corporation. All rights reserved.
(CAB) and can be approved either by the
Change Manager, by the System Owner as
specified by the agency’s Change
Management Process or may at times be preapproved, with no additional approval
required.
hours and a Standard Change option is not
available.
Refer to the agency’s Change Management
process for further guidance on how the
different change record types should be used.
Use the IT Service Management product
within your agency to raise the Standard
Change record and submit it for approval. For
further guidance on how standard change
approvals work for your agency, contact the
Change Management team.
3.1.4 Obtain Approval
Performed by – System Manager
Ensure that the appropriate level of approval
is granted for the Change Record raised and
the impact is well understood before
continuing. Where there is end-user impact
and the outage to end-user applications may
be outside of pre-advertised windows, make
sure they are notified in advance.
3.1.2 Assign Deployment Window(s)
Performed by – System Manager
Assign deployment window(s) for the
deployment of the patches based on a preagreed patch release calendar or else identify
an appropriate window for the patch release.
Refer to the agency’s Change Management,
Release and Deployment Management
processes for further guidance on assigning
deployment windows.
3.1.3 Raise Change Record
Performed by – System Manager
Where a Standard Change option is not
available, one of the follow options may be
appropriate:
 Normal Change (OGC, 2011) may be used
for deployment of patches that are not
‘Extreme Risk’ and can fit within the
change cycles of the agency.
 Consider ‘Emergency Change’ (OGC, 2011)
may be an option when ‘Extreme Risk’
patches need to be deployed within 48
30
© Microsoft Corporation. All rights reserved.
3.2 Build Patch Release Package
Figure 9: 3.2 Build Patch Package Activity Flow Diagram
Wherever possible, patches should be
automatically downloaded from the verified
repositories to expedite the deployment
activity as soon as the patch selection activity
is complete.
manually created for deployment as part of
the guidelines provided by the deployment
software vendor. A number of deployment
toolsets are able to deploy custom packages
for applications and patches. A package must
be manually created for deployment as part
of the guidelines provided by the deployment
software vendor.
Performed by – System Build Team
Performed by – System Build Team
3.2.1 Acquire Patches
Performed by – System Build Team
3.2.3 Install to Dev Environment
3.2.2 Build Release Package
Install patches to the agency’s development
environment as soon as possible. This will
allow developers to catch issues with patches
earlier. An up-to-date development
environment will make sure that developers
are developing on the latest platform.
If a deployment toolset is not available, this
step may be redundant.
Many patch management toolsets are able to
automatically package patches they
download. A number of deployment toolsets
are able to deploy custom packages for
applications and patches. A package must be
31
© Microsoft Corporation. All rights reserved.
3.3 Test Patch Package
Figure 10: 3.3 Test Patch Package Activity Flow Diagram
organisations assets at serious risk of
compromise.
3.3.1 Install Patches in Test Environment
Performed by – System Test Team
For each outstanding defect, also consider if
there are alternative strategies that can help
mitigate the risk to the production
environment posed by the defect. It is also
important to consider the discrepancy
between the test and production
environment when assessing outstanding
defects.
Install the downloaded patches into the test
environment.
3.3.2 Perform Testing as per Test Plan
Performed by – System Test Team
Perform testing as per the test plan. For more
information on testing processes, refer to ITIL
Service Validation and Testing process (OGC,
2011) and MOF (Microsoft Operations
Framework, 2008).
If the residual risk to the production
environment is unacceptable, IT security’s
input would assist with a buy in for the system
owner’s decision for next steps.
3.3.3 Assess Residual Risk to Production
Performed by – System Manager
3.3.4 Issue Testing Endorsement
The risk posed by delaying the deployment of
security updates should be weighed up
against any defects discovered in testing. A
defect is an important observation that
should not be ignored; at the same time,
unpatched security vulnerabilities put an
Performed by – System Test Team
If the security updates have passed testing,
this decision is recorded and the deployment
team is notified of the decision. Proceed to
the deployment phase.
32
© Microsoft Corporation. All rights reserved.
4. Deploy
The Deploy phase includes the rollout of approved update(s) into the production environment.
Generally the success is measured against the requirements of service level agreements (SLAs).
• Prepare deployment
• Deploy patches to target endpoints; and
• Perform post implementation activities.
4.1 Distribute and Install Patches
Figure 11: 4.1 Distribute and Install Patches Activity Flow Diagram
4.1.1 Distribute Patches
4.1.2 Install Patches
Performed by –Deployment Team
Performed by – Deployment Team
As soon as the distribution of the patches is
complete and the approved outage window is
open, install the patches using the
Deployment Procedures for the system. The
monitoring team should be notified of a
successful deployment so they can start
monitoring for expected compliance.
Patch distribution is the act of staging the
patches to the necessary distribution points or
to the assets where the updates are to be
installed.
As soon as the updates are packaged, they
should be distributed. The distribution of the
patches (especially to a large and
decentralised environment) can take some
time and should be sequenced to parallelise
activities that need not be executed serially.
Change approval for installation may not
necessarily be required as a prerequisite for
distribution. Distribution windows should be
pre-approved and communicated within the
organisation.
33
© Microsoft Corporation. All rights reserved.
4.2 Escalate Issues
Figure 12: 4.2 Escalate Issues Activity Flow Diagram
4.2.2 Notify Intent to Continue
4.2.1 Seek IT Security Input
Performed by – System Manager
Performed by – System Manager
When a decision to continue with the patch
deployment (either in its current scope or
reduced distribution) is made, continue with
the deployment of the patches under any
agreed conditions. A reduced scope
deployment should accompany a deferral
request.
An escalation may be required for a number
of reasons:
 Technical – architectural or compatibility
conflict
 Risk – Testing failed, outstanding defects,
issue with piloting or patch rollout, not
being able to meet the 2-day window for
whatever reason.
 Business – Business requires service
availability and reliability during the
deployment window.
4.2.3 Submit Deferral Notice
Performed by – System Manager
The ISM expects all exceptions to the patch
management controls to be documented (ISM
Control 003). The Deferral Notice should be
used to document deferral decisions as well
as the mitigations implemented.
The intent of this activity is for the system
manager to seek consultation with IT Security
and seek their support for the next steps.
Seeking IT Security endorsement upfront will
not only assist with managing expectations
within both IT and business areas of the
agency, but will provide an additional level of
consultation before security based decisions
are made.
There are a number of alternative activities to
be considered based on ISM control 0941 to
assist with risk mitigation. These activities
should be discussed prior to agreeing to a
Deferral Notice.
34
© Microsoft Corporation. All rights reserved.
4.3 Monitor Patch Distribution
Figure 13: 4.3 Monitor Deployment Activity Flow Diagram
 There is an issue with the deployment
infrastructure (the deployment toolset,
server or the hardware layer).
 Software update packages are failing to
install due to some unreliability.
 There are issues with the reporting
capability of the deployment toolset.
4.3.1 Monitor Patch Distribution
Performed by – System Monitoring Team
Once distribution has initiated, progress
should be actively monitored to ensure no
issues are preventing the propagation of
security patches.
Lengthy delays to distribution could pose a
security risk to the agency. The monitoring
team should raise a Security Incident to have
the situation investigated further.
Security Incidents should be handled by the
Incident Manager responsible for security
incidents for resolution (please refer the
Security Incident Management process within
the agency). For further guidance on Incident
Management, refer to the ITIL Service
Operations publication (OGC, 2011).
4.3.2 Raise Security Incident
Performed by – System Monitoring Team
There may be a number of reasons why the
patch deployment rate does not meet
baseline performance, for instance:
35
© Microsoft Corporation. All rights reserved.
A.1 Report
Figure 14: A.1 Report Activity Flow Diagram
IT Security Related Reports
A.1 Produce Reports
IT Security needs to have visibility of the
success or otherwise of the effort of the
System Mangers to comply with the ISM
controls. The IT Security reports may include:
Performed by – System Monitoring Team
The PSPF has specific reporting requirements
for agencies on their compliance with the ISM
Top 4 Strategies to Mitigate Targeted Cyber
Intrusions. In conjunction with published
requirements, various level of decision
makers in the agency require different reports
to make operational decisions. Here are three
different reports that administrators, security
operators and executives can use to get the
information they need:
 Deployment compliance over time
 The percentage of the system CIs
successfully patched within 2 days of patch
release (compliance to ISM Control 1144)
 Number of systems that have a security
patch management plan in place and are
being patched regularly
 Operational reports
 IT security related reports
 Executive and compliance.
Executive and Compliance
The agency executives need to have visibility
of the agency’s activities to verify that they
are strengthening the security of their
environment. Here are some examples:
Operational Reports
The System Managers and administrators
require visibility of the deployment rate of
their packages as well as how it is impacted by
all the technical factors in their environment:
 Indicators of compliance to ISM Controls
related to security patch management
 Deployment tool capability
 Indicators of level of undocumented,
uncontrolled non-compliance
 Availability, capacity and performance of
their patching infrastructure
 Security patch related achievements as
well as major risks to the agency’s security
patching environment.
 Deployment compliance
36
© Microsoft Corporation. All rights reserved.
A.2 Process Compliance Assessment
Figure 15: A.2 Process Compliance Assessment Activity Flow Diagram
 Hold Process Compliance Assessment kickoff meeting.
A.2.1 Identify System to Assess
Performed by – System Assessor
A.2.3 Conduct Compliance Assessment
The compliance assessment is a mechanism to
drive adherence to the process as specified in
the security patch management policy and
process.
Performed by – System Assessor
Conduct the assessment activities by
following the created checklist:
Identify systems to assess based on the
following suggestions:
 Check adherence to the agency’s security
patch management process and
procedures.
• High-value, high-risk systems
• Systems for which patch related Security
Incidents are being logged regularly.
• Systems where compliance state is
unknown or poor.
A.2.4 Produce Compliance Assessment
Report
Performed by – System Assessor
Document the findings of the process
compliance assessment. Cover the following
topics at a minimum:
Contact the System Owner and the System
Manager of the intent to assess including
timeframes and list of people to engage. This
would provide them sufficient time to
organise the required documentation to
present for the assessment.
• Assessment and system overviews
• Assessment observations and finding
• Recommendations.
A.2.2 Plan Compliance Assessment
Follow up with the System Owner and the
System Manager to discuss actions for
remediation, action owners and dates for
completion. Present the assessment report
and the agreed remediation action plan to the
IT Security Advisor and if appropriate, to the
agency executive. Follow up on the
remediation action plan on a regular basis.
Performed by – System Assessor
Plan for the patching process compliance
assessment:
 Document patching activities (meetings
and checklist)
 Create assessment schedule
37
© Microsoft Corporation. All rights reserved.
Common Implementation Challenges
Supportive IT Security Policies
Covering Security Patching
Owners and the System Managers to plot a
timeline to bring the target systems into
compliance, or to implement other proactive
threat mitigations, as part of the Capability
Implementation Plan.
Challenge: There is no buy-in from
management for the implementation of the
ISM controls within the agency.
When building a security patch management
capability implementation plan, consider the
advice in previous sections of this document
(Step 4: Develop a Capability Implementation
Plan). In addition to the above, also consider:
A critical success factor for achieving effective
security outcomes is that all stakeholders,
including senior leaders in the organisation,
understand the importance of the security
patch management policies and their
applicability to the information security
posture of the organisation. Agencies must
have the appropriate level of security
patching related policies and they need to be
well communicated to both the IT staff as well
as the business areas of the organisation.
• Where does the agency store trophy data?
• Where is the greatest opportunity for risk
reduction?
• Which operating systems or applications
are most frequently exploited in the wild?
• How widely is the operating system or
application used within the agency and
what is the potential business impact of
the vulnerability?
Ensuring that the senior executives, middle
management as well as all IT and business
staff understand the importance of the
implementation of these policies is also
crucial. Policy owner should make sure that
the security patch management policies are
adequately communicated and their purpose
is clearly articulated (also see section Step 2:
Develop a Security Patch Management Policy).
Security Patch Management
Capability Implementation Plan
Figure 16: Encounter rates for different types of exploit
attempts in 2013
Challenge: How do we decide what we should
on-board first?
Having a comprehensive security patch
management capability implementation plan
can guide embedding of behaviours required
to achieve the security patch management
Policies. The Capability Implementation Plan
outlines a rough timeline of what devices and
systems will be brought under IT Security
Policy compliance. This enables the System
There are many publicly available sources of
vulnerability exploit data, which can help
paint a picture of the software security threat
landscape. For instance, the below above
from the Microsoft Security Intelligence
Report (Volume 16) shows publicly observed
vulnerability encounter rates by type of
exploit.
38
© Microsoft Corporation. All rights reserved.
A Risk-Based Approach to
Security Patching
deployment. Even though vendors provide
advice on the urgency of patch deployment,
each agency should use a risk-based decision
making approach to make IT security-related
risk decisions. Vendor attributes should be
inputted into the decision making process as
well.
Challenge: Vendors publish a rating for their
patches. What does that mean for my agency
and why can’t I just use that to prioritise patch
deployments?
Taking a risk-based approach to security
update management means using knowledge
of a particular security vulnerability, as well as
mitigating and environmental factors, to
determine the level of risk posed to the
organisation. Understanding the risk posed by
a specific vulnerability enables informed
decisions about priority, resources and
deployment schedule.
Exploitation of a vulnerability within a
Department’s IT environment can have an
impact to the confidentiality, integrity and
availability of the assets. This could lead to a
negative impact to the business services and
business processes that depend on the asset.
The consequences for a compromised
organisation can mean a measurable loss of
financial assets, reputational damage or
worse.
Deployment Timeframes for
Patches
As per the PSPF Protective security
governance guidelines on Business Impact
Levels (Protective Security Policy Committee
Attorney-General's Department, 2014),
agencies should consider all threat sources
and potential consequences on an asset
before determining the overall business
impact from the asset’s compromise or loss.
The Capability Implementation Plan should
give priority to mitigating risk to assets which,
when compromised, will have an
unacceptable impact to the business of the
organisation.
Challenge: It is not possible to deploy patches
to production within 2-days. Testing takes too
much time and change control can add
days/weeks to the timeframe.
The Information Security Manual has two
primary controls that cover deployment
timeframes of software security updates. ISM
Control 1144, describes deploying updates,
which are described as ‘extreme risk’ within
the 2-days. ISM Control 0940 indicates that all
security updates should be installed “as soon
as possible”.
The PSPF requires that agencies apply the risk
management methodology detailed in SAI
Global – AS/NZS ISO 31000:2009 Risk
management – Principles and guidelines and
SAI Global – HB 167:2006 Security risk
management to assess their security risks
(Protective Security Policy Committee,
Attorney-General's Department, 2012).
During an assessment of the as-is process
documentation, the following areas generally
stand out for time consumption:
• Time required for testing of the patches
• Time required for going through the
agency’s change control and release
management processes.
It is often difficult for teams in large
organisations to determine how deploying, or
not deploying a certain patch impacts risk to
the organisation, and how to best prioritise its
Even though these are two very important
aspects of the overall process, it is beneficial
that they be performed in the context of the
39
© Microsoft Corporation. All rights reserved.
overall process objective - to mitigate the risk
to the production environment. Every minute
that the patches are undergoing testing or
going through the agency’s change
management process, there is an increased
risk that the vulnerability in the production
environment may be exploited. It is crucial to
find the right balance between the amount of
testing required to mitigate the risk of
patching and the risk of having the
vulnerability exploited on production systems.
CAB sitting times and required
documentation.
 Assume a positive path through the
process flow assuming that ‘all will go as
planned’. Only disrupt the positive flow if
there is a show-stopping event which adds
unacceptable amount of risk to the process
outcome. Here are a few examples:
 Once the patch release windows have
been published, consider business
approval to commence by default
unless approached by the business area
with a valid business case. Once the
patch release windows have been
published, consider business approval
to commence by default unless
approached by the business area with a
valid business case. Once the patch
release windows have been published,
consider business approval to
commence by default unless
approached by the business area with a
valid business case.
The following activities can assist with
improving the time to deploy:
 Assess the requirement for each activity
within the “as-is” workflow. Calculate the
effort required to perform the activity and
determine if that activity is essential in the
achievement of the objective of the
process. Removal of non-critical activities
from the core process.
 Identify activities that can be performed in
parallel. Apply these parallel optimisations
even to individual process steps. (E.g. Can
test plan steps be sequenced differently to
optimise without compromising quality?
Apply these parallel optimisations even to
individual process steps. (E.g. Can test plan
steps be sequenced differently to optimise
without compromising quality?)
 Identify and agree on what is the
appropriate amount of testing required to
mitigate the risk to production.
Streamlining the testing effort can
significantly improve the time to deploy.
 Utilise the Standard Change provision
within the agency’s Change Management
process. As these changes are typically preapproved, significant time can be saved in
eliminating the Change Advisory Board
(CAB) lead timeframes, dependency on
40
© Microsoft Corporation. All rights reserved.
Streamline the Patching Process
A RACI matrix can be used to clearly
specify for each activity, who is:
Challenge: We already have a patch process,
but it doesn’t seem to be giving us optimised
results.
o R – Responsible
o A – Accountable
The details around patch deployment
activities are typically the responsibility of the
technical resources responsible for BAU
maintenance of the system (Server OS,
applications, SOE, etc.), thus there may be a
varied set of approaches to patching within a
single agency. Approaches that have grown
organically offer an opportunity for
consolidation. There are benefits in designing
a streamlined approach for services/systems
that require patching within the agency.
o C – Consulted
o I – Informed
 Guidance from the following processes
within your agency (based on the ITIL
processes) may assist the creation of the
security patch management process:
o Change Management, Release and
Deployment Management, Asset and
Configuration Management, Validation
and Testing Management (OGC, 2011)
Here are a few techniques that can be helpful
when streamlining the process:
o Information Security Management
(OGC, 2011)
 Have a strong process baseline with
activities identified within a workflow.
Brainstorming and white boarding are very
effective techniques that can be used to
capture the extant approach.
o Incident Management, and Problem
Management processes (OGC, 2011).
Assess Compliance & Reporting
Once a security patch management process
has been defined for the agency, it is
important to agree on measures of success for
the process – Key Performance Indicators
(KPIs). The resulting performance of the
process is a function of the inputs, being the
policy, process, procedures, and the decisions
made in execution. The KPIs will assist with
the measurement of the effectiveness of the
process and will provide further visibility into
how much improvement may be required for
the processes to be able to meet the policy
objectives.
 Defining the inputs and outputs of each
captured activity step will assist in linking
each activity to the previous one and the
following activity. This can assist with the
value identification of each of the activity
steps. Six-Sigma SIPOC is one of the
common technique used to achieve this.
 Analyse the agency’s patching capability,
documenting individual steps and
eliminate steps that do not deliver value.
Lean IT (Value-Stream Mapping) uses a
diagram based approach to represent the
process flow activities for analysis.
o Release and Deployment Management,
o Asset and Configuration Management,
Validation and Testing Management,
Information Security Management,
Incident Management, and Problem
Management processes.
41
© Microsoft Corporation. All rights reserved.
Minimising Impact Downtime
for Business-Critical
Applications
requirement. An individual system’s
maintenance should not equate to a service
outage.
Having automated deployment tools can also
assist with reducing the downtime for
application servers and the administrative
overhead of sequencing patch deployment
activities for complex workloads. Keeping
each server outage to a minimum can be
achieved by ensuring that there is a good
understanding of the dependencies between
the various components of a service/system
and that the correct restart/start-up
procedure is known.
Challenge: Deploying patches will impact our
business critical applications. We cannot
afford to take them offline.
Ensure that patching requirements have been
taken into consideration during the service
development phase. System attributes like
availability, capacity, performance, reliability
should all be taken into account and captured
upfront as non-functional requirements.
Systems with such availability requirements
can be designed such that components can be
maintained either in sequence, or in parallel
without a complete outage of the service.
Where business expects a service to remain
available during proactive maintenance, the
design of the service should support this
Having appropriate documentation can also
assist with ensuring that instructions for
managing activities is clear. Any lessons learnt
which can assist with reducing downtime
should be clearly documented within the
deployment procedures.
42
© Microsoft Corporation. All rights reserved.
References
Australian National Audit Office, n.d. About
Us. [Online]
Available at: http://www.anao.gov.au/AboutUs
Microsoft, 2010. Microsoft Solution
Accelerators - Service Mapping (Microsoft
Operational Framework). [Online]
Available at:
http://download.microsoft.com/download/6/
5/8/658BC1E9-E262-45CA-BB6EE87C058BBD37/MOF%20Service%20Mapping.
docx
[Accessed 2015].
Australian Signals Directorate, 2013. Assessing
Security Vulnerabilities and Patches. [Online]
Available at:
http://www.asd.gov.au/publications/csocprot
ect/assessing_security_vulnerabilities_and_pa
tches.htm
Microsoft, 2014. Security TechCentre Microsoft Exploitability Index. [Online]
Available at:
http://technet.microsoft.com/enus/security/cc998259.aspx
[Accessed 2015].
Australian Signals Directorate, 2014. ISM Information Security Manual. [Online]
Available at:
http://www.asd.gov.au/publications/Informat
ion_Security_Manual_2014_Controls.pdf
Microsoft, 2015. Security Intellegence Report.
[Online]
Available at: http://www.microsoft.com/sir
Batchelder, D. et al., 2013. Microsoft Security
Intelligence Report - Volume 16, s.l.:
Microsoft.
Microsoft, n.d. Definition of a Security
Vulnerability. [Online]
Available at:
http://technet.microsoft.com/enus/library/cc751383.aspx
[Accessed 2015].
Commonwealth Consolidated Acts, 1983.
Archives Act 1983. [Online]
Available at:
http://www.austlii.edu.au/au/legis/cth/conso
l_act/aa198398/
[Accessed 2015].
OGC, 2011. ITIL Service Design. 2011 ed.
Norwich: The Stationary Office.
Ferris, K., 2011. Balanced Diversity - A
Portfolio Approach to Organisational Change.
London: The Stationery Office.
OGC, 2011. ITIL Service Operations. 2011 ed.
Norwich: The Stationery Office.
International Standards Organisation, 2009.
International Stanard ISO31000. Geneva: ISO
copyright office.
OGC, 2011. ITIL Service Transition. 2011 ed.
Norwich: The Stationary Office (TSO).
Microsoft Operations Framework, 2008.
Microsoft Operations Framework (MOF) 4.0.
[Online]
Available at: http://www.microsoft.com/enus/download/details.aspx?id=17647
Protective Security Policy Committee
Attorney-General's Department, 2014.
Protective Security Governamnce Guidelines Business Impact Levels. [Online]
Available at:
http://www.protectivesecurity.gov.au/govern
43
© Microsoft Corporation. All rights reserved.
ance/security-riskmanagement/Pages/Businessimpactlevelsguid
elines.aspx
Serna, F. J. & Roths, A., 2010. Security
TechCenter - Using the Enhanced Mitigation
Experience Toolkit to Safeguard Against Zero
Days. [Online]
Available at:
https://technet.microsoft.com/enus/security/gg524265.aspx
[Accessed 2015].
Protective Security Policy Committee,
Attorney-General's Department, 2012.
Protective security better practice guide Developing agency protective security policies,
plan and procedures., ACT 2600: Australian
Government.
The International Organisation for
Standadization, 2011. ISO/IEC 27005:2011.
[Online]
Available at:
http://www.iso.org/iso/home/store/catalogu
e_ics/catalogue_detail_ics.htm?csnumber=56
742
Protective Security Policy Section, 2011.
Protective Security Policy Framework. [Online]
Available at:
http://www.protectivesecurity.gov.au/inform
ationsecurity/Documents/Information%20sec
urity%20management%20protocol%20%20INFOSEC%204%20amendment%20%20April%202013.doc
U.S. Department of Defense, 2009. Software
Protection Initiative. [Online]
Available at:
http://www.spi.dod.mil/tenets.htm
Scott, D., n.d. Operations Zero Time, s.l.:
Gartner Security Conference.
44
© Microsoft Corporation. All rights reserved.
Appendix
Glossary
Asset
Emergency Change
Normal Change
Patch
Service Level
Requirements
Standard Change
System Owner
Technical Service
Owner
Threat
Vulnerability
Any resource or capability. The assets of a service provider include anything that
could contribute to the delivery of a service. Assets can be one of the following
types: management, organisation, process, knowledge, people, information,
applications, infrastructure or financial (OGC, 2011).
A change that must be implemented as soon as possible – for example to resolve a
major incident or implement a security patch. The change management process will
normally have a specific procedure for handling emergency changes (OGC, 2011).
A change that is not an emergency change or a standard change. Normal changes
follow the defined steps of the change management process (OGC, 2011).
A piece of software designed to fix problems with, or update, a computer program
or its supporting data. This includes fixing security vulnerabilities and other
program deficiencies and improving the usability or performance of the software
(Australian Signals Directorate, 2014).
An agreement between an IT service provide and a customer. A service level
agreement describes the IT service, documents service level targets, and specifies
the responsibilities of the IT service provider and the customer. A single agreement
may cover multiple IT services or multiple customers (OGC, 2011).
A pre-authorised change that is low risk, relatively common and follows a
procedure or work instruction – for example, a password reset or provision of
standard equipment to a new employee. Requests for change are not required to
implement a standard change, and they are logged and tracked using a different
mechanism, such as a service request (OGC, 2011).
The System Owner is the person responsible for an information resource. While the
system owner is responsible for the operation of the system, they will delegate the
day–to–day management and operation of the system to a system manager or
managers. While it is strongly recommended that a system owner is a member of
the Senior Executive Service, or in an equivalent management position, it does not
imply that the system managers should also be at such a level (Australian Signals
Directorate, 2014).
An IT service that is not directly used by the business, but is required by the IT
service provider to deliver customer-facing services (for example, a directory
service or a backup service). Supporting services may also include IT services only
used by the IT service provider. All like supporting services, including those
available for deployment, are recorded in the service catalogue along with
information about their relationships to customer-facing services and other CIs
(OGC, 2011).
Any circumstance or event with the potential to harm an information system
through unauthorised access, destruction, disclosure, modification of data, and/or
denial of service. Threats arise from human actions and natural events (Australian
Signals Directorate, 2014).
A weakness of an asset or group of assets that can be exploited by one or more
threats where an asset is anything that has value to the organisation, its business
operations and their continuity, including information resources that support the
organization’s mission (The International Organisation for Standadization, 2011).
45
© Microsoft Corporation. All rights reserved.
Appendix
Appendix I – Assessing System Risk
Figure 17: Example Risk Calculation Logic
A number of available Risk Management frameworks can be used to identify and manage the risks
associated with patching and security vulnerabilities. This document takes guidance from ISO
31000:2009, which is mandated by PSPF as the Risk Management standard for Australian
Government. It is recommended that each agency use the Risk Management practices adopted
within their agencies to address risk associated with patch management. The sections below provide
guidance, examples, and factors to consider as part of a risk-based approach to addressing patch
management.
Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated likelihood, and can be calculated using a risk matrix
(The International Organisation for Standadization, 2011). This section offers suggestions on how to
calculate the likelihood (Exploit Likelihood) and consequence (Maximum Business Impact) to be used
in the agencies risk assessment.
In order to help make an informed decision about exploit likelihood, vendors often publish data that
seeks to articulate the likelihood that functioning exploit code will be observed in the immediate
future. This data can be consumed by organisations to help address the likelihood component of the
risk assessment. As an example, Microsoft publish attributes such as the exploitability index and a
severity rating. These attributes both contain elements that can influence the assessed exploit
likelihood for a given vulnerability in a system.
According to PSPF’s Business Impact Levels (BILs) document “The highest impact from the
compromise of confidentiality, integrity or availability should be the BIL assigned to the resource or
aggregation or resources” (Protective Security Policy Committee Attorney-General's Department,
2014).In this example approach, the systems Business Impact Level captures the Maximum Business
Impact of a system vulnerability, and informs the consequence component of future vulnerability risk
assessments.
46
© Microsoft Corporation. All rights reserved.
Appendix
The System Owner should seek guidance from the agency’s Risk Management capability area and IT
Security to make sure that the risk matrix is used appropriately.
Step 1 - Calculating Maximum Business Impact (MBI)
The impact of the system compromise may be calculated using BILs (Protective Security Policy
Committee Attorney-General's Department, 2014), which can be used as the Maximum Business
Impact for a specific system of a given classification.
As an example, it may be assessed that the Business Impact Level of the Exchange messaging system
carrying information of a protected classification has a Business Impact Level of 4 (Extreme), based
on the Business Impact Level descriptors defined for the organisation. This knowledge forms the
understanding of the Maximum Business Impact (consequence) of the system, which will go on to
inform the risk assessment of future vulnerabilities.
Step 2 - Calculate Exploit Likelihood (EL)
In Risk Management terminology, the word likelihood is used to refer to the “chance of something
happening, whether defined, measured or determined objectively or subjectively, qualitatively or
quantitatively and described in general terms or mathematically (such as a probability or a frequency
over a given time period)” (International Standards Organisation, 2009).
Here is an example of risk likelihood descriptors:
Likelihood
Description
2 (Unlikely)
Credible intelligence indicates that threat sources currently have little
capability or intent to target the agency. Action is assessed as unlikely.
1 (Rare)
3 (Possible)
5 (Likely)
6 (Almost Certain)
There is no indication of any threat to the agency. Action is assessed as very
unlikely.
Credible intelligence indicates that the agency is a possible target of threat
sources that have either limited intent or limited capability or both. Action
is assessed as possible but is not expected.
Credible intelligence indicates a current intention and capability to conduct
action against the agency. Action is assessed as likely.
Credible specific intelligence indicates a current intention, capability and
planning to conduct action against the agency. Action is certain.
Table 2: Example risk likelihood descriptors
Known risk determinants from various sources, including the vendor-defined attributes describing
anticipated exploitability and urgency should be consumed to form a model for attributing likelihood
to future published vulnerabilities. It is important that this model for attributing exploit likelihood is
compatible with the organisations established risk management practises.
47
© Microsoft Corporation. All rights reserved.
Appendix
Step 3 - Calculate Risk
Risk matrices like the risk matrix shown in the example below are a standard tool used in risk
management. These matrices are normally applied consistently within an organisation to maintain a
consistent approach to risk-based decisions.
This step (calculate risk) is performed reactively, once a vulnerability and the associated security
update are released. The aim is to attribute a risk rating to the vulnerability in order to prioritise its
deployment, and to be able to engage in risk-based conversations using risk descriptors that are
used organisation-wide.
The impact assessment should be informed by and should directly correlate with the Maximum
Business Impact assessed for the system in Step 1 – Calculate Maximum Business Impact. The
likelihood assessment should be informed by the model created in Step 2 – Calculate Exploit
Likelihood.
Likelihood
1
2
1
Low
Low
3
Low
Medium
Medium
High
2
4
5
Low
Medium
Impact
3
4
5
Low
Medium
Medium
Medium
High
High
Low
Medium
Medium
High
High
Medium
High
Extreme
High
Extreme
Extreme
Table 3: Example risk matrix
Step 4 – Consider mitigating factors
To achieve an accurate understanding of the residual risk, agencies may also consider existing
mitigating factors already deployed within the agency’s environment.
Some of examples of mitigations that may reduce the likelihood of exploitation are:
•
•
•
•
Application whitelisting is implemented within the environment
Content types are blocked by the messaging service
The environment is air-gapped from the Internet and less secure networks, and
Other mitigations (See ASDs Top 35 Mitigations for Targeted Cyber Intrusion).
48
© Microsoft Corporation. All rights reserved.
Appendix
Appendix II – Security Patch Management
Process Document Outline
Purpose
toolset-specific deployment procedures. See
Appendix V – Security Patch Management
Plan Document Outline.
The security patch management process
describes how the agency will carry out
security patch management and the roles and
responsibilities of people who perform
security patch management-related activities.
The creation of the security patch
management process is the responsibility of
the process owner within the agency (as
defined in the policy), who may engage
various disciplines within the agency to define
the process.
Roles and Responsibilities
This section contains the matrix for defining
who within the agency is Responsible,
Accountable, Consulted and Informed during
each of the activities outlined in the security
patch management process.
Mitigation Timeframes
What are the timeframes for implementing
the security patch management policies for
the various systems with the agency? The
capability Implementation Plan will take
guidance from the strategy to develop their
implementation cycles.
Document Composition
Typically, a security patch management
process will include the following:
Process Objective
Key Success Indicators
This section would describe the purpose and
objective of the security patch management
process.
This section will contain the indicators which
measure the effectiveness of the process.
Some common measures for security patch
management may include:
Security Patch Management Process Flow
and Procedures
• Vulnerability window for ‘Extreme Risk’
patches (ISM Control 1144 specifies 2 days)
• Percentage of patches scheduled to be
released within the deployment timeframe
• Incidents caused by patch installation
• Number of emergency changes raised to
deploy patches
• Number of deferral reports raised
This section should detail the process
workflow, along with the detailed step
guidance for each activity step. Inputs,
outputs and the responsible party for each
activity should also be clearly defined.
A sample process workflow is described in the
Security Patch Management Detailed StepGuidance section of this document and can be
tailored to implement the agency’s security
patch management policies.
A process should address the high-level patch
management activities, but should not go
down to the level of system-specific, or
Agencies should design the relevant indicators
to make sure they are able to measure the
effectiveness of the process against the
approved policy in an efficient manner.
49
© Microsoft Corporation. All rights reserved.
Appendix
Appendix III – Capability Implementation
Plan Document Outline
Purpose
• Major tasks that need to be executed for
the implementation to be successful
• Schedule for the implementation of the
above identified tasks
• Budget and resource requirements
• Training and side-by-side support
• Changes to tools/implementation of new
tools
• Expected impact
• Measuring project success.
The Capability Implementation Plan (CIP)
describes the detailed activities required to
bring the agency’s IT systems to the required
compliance levels. The document is typically
owned by IT Security with the various System
Owners contributing to the system specific
content. The document outlines the body of
work that need to occur to implement the
capability, focusing on prioritising the highrisk components of the agency’s environment.
Stakeholder Management
What stakeholders need to be consulted,
involved in the development of the Capability
Implementation Plan? What roles will they
play? Are they supporters of the initiative or
do they need to be brought on-board. What
tools are available, and what tools need to be
procured??
Document Composition
Typically, the CIP will include the following:
Introduction
This section of the document will list all the
services/systems that have been analysed by
IT Security, their ownership information and
the priority for the agency to address security
patch management for the service/system
(high, medium, low).
Communications
The document should discuss the creation of a
Communications Plan as well as how the
change will be managed within the organised
so it ‘sticks’ (see section Embedding the
Security Patch Management Capability for
further information).
Inventory
Clearly articulate all systems in their
respective priorities (priority 1, priority 2…
Priority n) to make sure that there is clear
understanding of which systems need to be
prioritised first.
Signoff
Clearly document the commitment from the
senior executive, capability owner and the
areas responsible for execution. Having a
signed-off Implementation Plan often assists
with resource, time and cost commitments
from the implementation teams, especially if
the implementation is run as a project.
Implementation Schedule
This section should discuss the timeframes for
bringing the systems under the compliance of
the security patch management process.
The Implementation schedule should discuss
the following topics:
50
© Microsoft Corporation. All rights reserved.
Appendix
Appendix IV – Security Patch Management
Deferral Notice Document Outline
Purpose
Impact Definition
This section will capture the risk associated
with the non-compliance:
The ISM discusses the topic of provisional,
documented, and approved non-compliance
to policy controls. Given the appropriate
approval and remediation plan, compliance
may be deferred for a limited period. The
security patch management deferral notice
captures the non-compliance to the agency’s
security patch management process and any
associated deployment timeframes mandated
by the ISM controls, as defined by the
agency’s security patch management policy.
•
•
•
•
•
Identifier of deferred patch
Deferral period
Mitigating controls and residual risk
Factors driving non-compliance
Business services that are exposed due to
the system remaining unpatched
• Business functions at risk to the system
remaining unpatched
• Business function owner who has agreed
to the deferral (Non IT Branch Head)
• Remediation plan – Including activities and
planned dates.
The deferral notice document is the
formalisation of an in-principle agreement
between IT Security (under the delegation of
the Accreditation authority) and the System
Manager to defer a patch deployment and
thus compliance to ISM controls relating to
deployment timeframes. It is important that
IT Security track all outstanding action items
against their due by dates to encourage
System Owner accountability for remediation
activities.
IT Security Risk Assessment
The risk of the deferral must be accurately
captured and understood before an informed
risk-based decision can be made. It is
important that the risk associated with
deferred, documented non-compliance is
reviewed by IT Security. This section should
include:
Document Composition
• IT Security’s assessment of the residual risk
• Recommendations on the Deferral Notice
including restrictions and special
conditions.
The security patch management deferral will
include the following sections:
Deferral Details
Recording Approval
The section records information about the
request being made. The following
information should be captured within this
section:
IT Security should take into account various
compliance aspects when assessing a deferral
to ensure that the documentation is
sufficient, and that the level of risk is
acceptable before recording their approval.
• Identifiers of affected systems
• System Manager
• System Owner
51
© Microsoft Corporation. All rights reserved.
Appendix
Appendix V – Security Patch Management
Plan Document Outline
Purpose
Service Information
This section is a brief description of the
service including:
A process covering security patch
management would generally not detail
service-specific or system-specific attributes
and procedures, and would instead focus on
more high-level process activities. This
system-specific information should be readily
available in a more lightweight reference
document.
• Service name
• Service objectives – Description of how the
service will assist with the agency’s
business achieve their outcomes
• Service Owner – Agency executive
accountable for operations of the service
• Service composition – The list of systems
that compromise the service and the
interdependencies between the systems.
The security patch management plan
document put forward in this approach
captures all service-specific and systemspecific information, including system-specific
procedures for patching the system/service.
The security patch management plan should
be used in conjunction with the process to
bring the service-specific and system-specific
information to the approach.
Adding a Service Map (Microsoft, 2010) is a
good way to capture the various components
within the service and can assist with the
identification of the supporting systems.
System Attributes
Repeat this section for each system
comprising the service. This section details
each system including:
Document Composition
The security patch management plan includes
the following sections:
• System name
• System objectives – Description of how the
system assists the service in achieving the
service objectives
• System Owner – Band 1 executive, usually
the branch head3
Introduction
The introduction will state the purpose of the
system and how it supports the agency’s
business functions and objectives. It should
assist with understanding the business impact
of a compromise to the system’s
confidentiality, integrity or availability.
“While it is strongly recommended that a system
owner is a member of the Senior Executive Service,
or in an equivalent position, it does not imply that
the system managers should be at such a level”
(Australian Signals Directorate, 2014).
3
52
© Microsoft Corporation. All rights reserved.
Appendix
Vendor Information
For example, it may that for a given system
there is an expected compliance rate of 80%
after 48 hours since deployment commenced.
This anecdotal information is important to the
ongoing monitoring exercise.
This section is to be repeated for each vendor
represented in the system. Capture the
following vendor information:
• Vendor name
• Vendor product update website
• Primary and alternate security bulletin
information sources
• Patch release schedule
• Authoritative source of security patches
• Patch access information (if appropriate)
Governance & Reporting
This section documents the IT Service
Management requirements (Service
Transition (OGC, 2011)) to be considered
during the operation of the security patch
management process including:
Patch Prioritisation
• Change control reference
• Release & deployment windows
• Business end user notification email
template
• Reporting (discussed in section A.1 Report
of Security Patch Management Detailed
Step-Guidance).
Refer to Appendix I – Assessing System Risk
for information on how to create content for
this section.
• Maximum Business Impact (MBI)
• Exploit Likelihood (EL).
Resource Management
Patch Implementation Procedures
This section documents the resourcing
requirements to complete the patching
activities assigned to the team. This also
enables the team to commit the resources in
advance for all patching activities.
This section captures all of the information
required to perform the implementation, such
as:
• Test strategy and test plan
• Piloting requirements (targeted end points
or phased releases)
• Deployment procedures
• Back out plan and procedures
• Business verification (if required).
Deployment Tracking
As part of system on-boarding, create a
baseline of the expected rates of distribution
and installation of patches for the system.
Depending on a number of environmental
factors, system compliance over time will
often follow a familiar trajectory, approaching
similar limits at a similar rate. Understanding
this performance characteristic is important
to the monitoring exercise and understanding
if there are potential new issues.
53
© Microsoft Corporation. All rights reserved.
Appendix
54
© Microsoft Corporation. All rights reserved.