Change and patch management
Policy Statement
Everperform is responsible for ensuring the confidentiality, integrity, and availability of its data and that of any customer data stored on its systems. Everperform has an obligation to provide appropriate protection against any malware threats, such as viruses, Trojans, and worms which could adversely affect the security of the system or its data entrusted on the system. Effective implementation of this policy will limit the exposure and effect of common malware threats to the systems within this scope.
Purpose
Information security is the protection of information against accidental or malicious disclosure, modification or destruction. Information is an important, valuable asset of Everperform, which must be managed with care.
This policy defines the requirements for maintaining up-to-date operating system security patches on all Everperform owned and managed infrastructure.
Scope
This policy applies to all computers, servers, systems and network infrastructure owned, maintained or managed by Everperform and the administrators of any associated networks or systems. The policy applies directly to Everperform Staff responsible for the ongoing maintenance of existing or introduction of new services or systems, but also governs any others undertaking similar activities in regards to the Everperform network.
Policy
Workstations and servers owned by Everperform must have up-to-date (as defined by manufacturers standards) operating system security patches installed to protect the asset from known vulnerabilities. This includes all laptops, desktops, and servers owned, managed or associated with Everperform.
Workstations
Desktops and laptops must have automatic updates enabled for operating system patches. This is the default configuration for all workstations managed by Everperform. Any exception to the policy must be documented and forwarded to the Chief Security Officer for review. (See Section 8.0 on Exceptions.)
Servers
Servers must comply with the minimum baseline requirements that have been approved by industry standards. These minimum baseline requirements define the default operating system level, service pack, hotfix, and patch level required to ensure the security of any Everperform asset and the data that resides on the system. Any exception to the policy must be documented and forwarded to the Chief Security Officer for review (view section 8.0 for exception information).
Software Packages
All software packages used in relation to Everperform will be kept at a stable build number and upgraded when any of the following criteria are met.
The package is found to contain a vulnerability
The package receives a stable update containing desirable improvements or features not currently available
The package is no longer compatible with another package, system or application and requires updating
Any updates that do take place are thoroughly tested throughout development before deployment to production.
Roles and Responsibilities
Everperform has contracted Amazon Web Services (AWS) to provide Infrastructure as a Service. They fulfill the supply of server and database infrastructure and manage the physical upkeep and security of these elements. Everperform has also contracted Base2Services as certified AWS specialists to assist in the day to day running and upkeep of software and implementation of AWS infrastructure, Base2Services collaborates with Everperform and provides both DevOps and SecOps services.
Monitoring and Reporting
The monitoring and reporting of compliance with Everperforms patch management policy for workstations will be completed through the act of random auditing completed by either the Chief Security Officer or Chief Executive Officer.
Monitoring and reporting of compliance with industry standards for server and database change and patch management will be handled by Base2Services and monitored by the Everperform Chief Security Officer.
Monitoring and reporting of compliance to industry best practice for software versioning and management is to be managed by the nominated system owners and monitored by the Everperform Chief Security Officer via monthly audit of system critical systems.
Enforcement
Implementation and enforcement of this policy is ultimately the responsibility of all employees at Everperform. The Chief Security Officer may conduct random assessments to ensure compliance with policy without notice. Any workstation or network found in violation of this policy shall require immediate corrective action. Violations shall be reported to both the Chief Security Officer and the owner of Everperforms Information Security Management Policy. Repeated failures to follow policy could lead to disciplinary action.
Exceptions
Exceptions to the patch management policy require formal documented approval from the Chief Security Officer. Any servers or workstations that do not comply with policy must have an approved exception on file with the Chief Security Officer. Please refer to the Chief Security Officer or Chief Executive Officer for details on filing exceptions.