STIG ID - BACF1003: Document Procedures for Security Related Software Patches

Severity
: 1 - High
A software vendor's code can contain vulnerabilities that violate the integrity of your organization's systems or data on the systems. Vendors often provide Patches to correct these vulnerabilities. Documented procedures to schedule, apply, and log the security related software patches must be maintained at your site. Your organization should ensure that documented procedures for security related software patches are maintained.
This STIG article provides guidance to ensure documented procedures exist and are maintained for scheduling, applying, and logging security related software patches.
The organization will ensure the security related software patches are installed
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. Verify with the Information System Security Officer (ISSO) that documented procedures exist for scheduling, applying, and logging security related software patches.
  2. If documented procedures exist,
    your organization does not have an audit finding
    .
  3. If document procedures do not exist,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
Only the Information System Security Officer (ISSO) and Systems Programmer ensures that all security related software patches are scheduled to be applied and documented.
Follow these steps:
  1. Check the operating system vendor web sites on a regular basis for information on new security patches that are applicable to your systems.
  2. Schedule a time to apply the security patch to your systems.
    A security patch is deemed applicable if the product is installed, even if it is not used or is disabled.
  3. Apply and test the security patches to your test environment.
  4. Apply security patches to your systems after successfully tested your test environment.
  5. Document what security patches were applied and tested to your test environment and systems.
Your organization developed and documented procedures to facilitate the implementation and integrity of your system controls.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-001220
CCI
:
CCI-001220
Published Date
:
2009-09-22
Definition
:
The organization develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system integrity controls.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): SI-1 b
NIST: NIST SP 800-53 Revision 4 (v4): SI-1 a 2
NIST: NIST SP 800-53A (v1): SI-1.1 (iv) (v)