Patch Availability Report
RSI's Patch Availability Service provides a comprehensive report of all needed hardware, software, and firmware security patches to support our client’s compliance obligations under their respective regulatory body’s requirements.
We will work with our client’s staff on a consistent basis, ensuring responsiveness and expertise on our client’s requests for their individual patch availability report. RSI will review our client’s Master Asset List and provide documentation and patches.
Patch management is a necessary, but labor and time intensive process that can consume significant technical resources. Let RSI monitor the hundreds of third-party software and hardware vendor websites for released patches and provide documentation and installation support for your business.
- Identification of Cyber Assets
- Implement a Patch Management Program
- Deployment of Patches
- Compliance Reporting Service
Patch Availabilty Recommendations Specific to Industry:
NERC CIP
To protect Bulk Electric System (BES) Cyber Assets or Systems, NERC mandates a unified patch management process for tracking, evaluating, and installing security patches for applicable Cyber Assets. Under its Reliability Standard documentation, NERC mandates entities to identify sources that track the release of security patches for the entity’s NERC CIP regulated systems.
NERC CIP compliance obligations fall under NERC CIP-007-6 R2 Part 2.1 and portions of NERC CIP-007-6 R2 Part 2.2. We will deliver, no less than once every thirty-five (35) days, a report detailing available patches and update notifications for our client’s systems.
Source: NERC CIP-007-6 Cyber Security - Systems Security Management, Pg 11
PCI DSS Requirement 6.2
Organizations are required to establish a process to address newly discovered security vulnerabilities, shifting from reactive remediation to proactive identification and patch installations based on active monitoring.
This requirement applies to applicable patches for all installed software, including payment applications (both those that are PA-DSS validated and those that are not).
- Installation of applicable critical vendor-supplied security patches within one month of release
- Installation of all applicable vendor-supplied security patches within three months
Source: PCI DSS 3.2, Pg 54
NIST Patch Management Recommendations
"Patches correct security and functionality problems in software and firmware, and are usually the most effective way to mitigate software flaw vulnerabilities, and are often the only fully effective solution. Upgrades may also fix security and functionality problems in previous versions of software and firmware.
Organizations should deploy enterprise patch management tools using a phased approach. Manual upgrade methods may need to be used for operating systems and applications not supported by automated patching tools, as well as some computers with unusual configurations."
FINRA Patch Management Recommendations
Patches and software updates are areas in which a firm may add or make changes to its controls to reduce cyber threat exposure.
Firms expect vendors to have system patch management controls in place, depending on the risk level of the information to which the vendor has access.
HIPAA Security Management Practices
Systems should be kept current with software upgrades (patches) that correct security deficiencies or enhance the capability to prevent unauthorized access. Users should subscribe to all available software upgrade services and install new security patches as they become available.
Stand-alone or our all-inclusive services, our experts can help you comply with multiple industry standards.