Automatically Patch Operating Systems and Applications: Fillable template and example

Fillable template: Automatically patching operating systems and applications policy DOCX, 38 KB

Fillable templates provide instructions on the information required to be documented for certification.

Example: Automatically patching operating systems and applications policy DOCX, 77 KB

Examples provide sample text to help learners complete a template.

[organization name/letterhead]

Automatically patching operating systems and applications policy

[insert date]

Disclaimer

Cybersecure Canada has developed this template for your use in relation to certification requirements for the automatically patch operating systems and applications security control area. It provides guidance as to how information can be organized and documented for certification. Cybersecure Canada does not guarantee a successful certification from use of this template. Organizations are not obliged to use this template and may provide the certification requirement(s) in a documented format best suited for them.

Template instructions

Instructions: the purpose of this template is to help users to meet the certification requirements for the automatically patch operating systems and applications security control area for Cybersecure Canada.

Instructions are provided in blue font within each section of this template. Upon completion of the template, delete these instructions.

It is recommended that users review the elearning module for automatically patch operating systems and applications and the completed example of this policy. Instructions end.

Revision history

The automatically patching operating systems and applications policy has been modified as follows:

Date

Version

Modification

Modifier

[date edited]

[document version]

[description of changes made]

[name of the editor]

Scope

Instructions: insert your scope statement or use the provided example

Identify person/team responsible for overseeing and executing the policy.

This policy shall apply to [name/team] responsible for overseeing software and hardware at [organization name] and shall govern the procedures and security that must be followed for any automatic, manually updated, or non-updated software and hardware.

Automatic updates

Instructions: insert your scope statement or use the provided example

Automatic patching at [organization name] is enabled for all software and hardware capable of this feature.

Manual updates of software and hardware

Instructions: insert your manual update policy statement(s) below. Alternatively, you can use the provided example.

  • There are [time period, for example, monthly, bi-annual, annual, etc.], scheduled checks of all items identified by the organization as requiring manual updates
  • Any identified updates or patches must be implemented within [timeframe]

Securing non-updated software and hardware

Instructions: insert your policy statement(s) addressing how non-updated software and hardware will be secure below:

[organization name] will secure all software and hardware that is not configured for automatic patching

Enforcement

Instructions: insert your enforcement statements below or use the provided example:

It is the responsibility of [name/team] to ensure regular scheduled checks are completed accurately and completely for all manually updated software and hardware. All non-updated software must be maintained by [name/team] to ensure all listed items are secured, and to search for alternative software to mitigate any risk associated with using non-updated software.

Additional certification requirements

Process to manually update software and hardware

Instructions: insert an overview of your organization's processes/procedure to ensure manual updates are applied. Be sure to highlight how often the process is triggered (for example, weekly/bi-weekly/monthly/etc.) And who is responsible for performing the work.

Process to secure non-updated software

Instructions: explain how your organization ensures non-updated software is secured (for example, explain how the devices are isolated). You can usually accomplish this by isolating the software and hardware using one or more of the following security measures:

  • Physical isolation
  • Firewall
  • Dedicated network

Rationale for use of any non-updated software

Instructions: provide your organization's explanation and rationale for continued use of non-updated software