ITPOL08 Patch Management Policy by Provide Community

Version: V5

Ratified by: Finance & Investment Committee

Date ratified: 03/04/2024

Job Title of author:

Assistant Director – IT & Systems

Reviewed by Committee or Expert Group Technology Programme Group

Equality Impact Assessed by:

1. Introduction

Security vulnerabilities within computer systems, applications, and network hardware pose significant risks, including potential data loss or the introduction of viruses and malicious software into the network. To mitigate these risks, software manufacturers release patches that address security vulnerabilities and bolster defences against emerging threats. This policy primarily focuses on Microsoft Patching due to its wellestablished and predictable release cycle; however, the principles outlined herein apply universally to the patching of all systems maintained by Provide.

2. Purpose

The primary objective of this policy is to guarantee that all computers connecting to Provide's infrastructure are equipped with up-to-date virus protection software, the latest virus definition libraries, and the most recent updates for operating systems and security patches. This ensures a secure and resilient computing environment, safeguarding against vulnerabilities and threats, thereby maintaining the integrity, availability, and confidentiality of our systems and data.

3. Benefits

The successful enforcement of this policy is designed to ensure that patches are applied promptly, thereby maintaining the availability, security, and compliance of our systems with key standards and legal requirements, including:

• Data Protection Act 2018

• Computer Misuse Act 1990

• General Data Protection Regulation (GDPR)

• ISO 27001:2013 - ISO/IEC 27001 Information Security Management

• Cyber Essentials Scheme - Cyber Essentials Scheme Overview

Implementing stringent IT policies and procedures not only enhances the reliability and security of our operations but also builds a strong foundation of trust among our department, commissioners, and both existing and potential clients. This structured approach to change management signifies our commitment to excellence and adherence to best practices in information security.

4. Scope

This policy encompasses all personnel working for or on behalf of Provide and its subsidiary companies, including individuals who connect any device to the Provide internal network. It covers all IT hardware owned or leased by Provide, including but not limited to servers, desktop computers, laptops, tablets, Internet of Things (IoT) devices, medical devices, and network equipment.

The guidelines outlined in this document pertain to all software utilised within Provide, such as:

• Operating Systems

• Endpoint BIOS and Firmware

• Networking Firmware

• Server Applications

• Desktop Applications

• Smartphone Applications

5. Patch Management principles

To maintain the highest level of security and functionality, all devices and software within our environment are updated as soon as possible. To achieve this, we use various tools and technologies. Below are the principles applied to each device type within the environment. Regardless of the risk score of the patch, all patches are deployed and installed without delay.

Laptops/Desktops:

Patches are distributed and applied automatically as they are released. Devices start installing required updates upon activation, with users allowed an 8-hour window to reboot. This period may be shortened in exceptional circumstances by the Technology Operations Manager, depending on risk and impact.

Servers:

Patches are applied on the release day within designated server maintenance windows. Timing may vary based on the risk and potential impact of vulnerabilities.

Windows Server Patching: Managed using the same tools as laptops and desktops.

Linux Server Patching: Conducted manually during the server maintenance windows.

Network Infrastructure:

Updates are automatically scheduled and executed by the Infrastructure Team to minimise impact, tailored to the specific requirements of each site.

Mobile Phones and Tablets:

Managed through Mobile Device Management (MDM) tools, enforcing policies to install the latest stable builds and app updates as soon as available.

BYOD mobile devices are excluded from this policy

Non-Provide managed devices:

Devices not managed by the IT team that are connected to provide networks in any way must conform with Cyber Essentials as defined below.

“Patched within 14 days of an update being released, where the patch fixes a vulnerability with a severity the product vendor describes as 'critical' or 'high risk'.*

Some vendors release patches for multiple issues with differing severity levels as a single update. If such an update covers any 'critical' or 'high risk' issues, then it must be installed within 14 days.

*If the vendor uses different terms to describe the severity of vulnerabilities, see the precise definition in the Common Vulnerability Scoring System (CVSS).”

6. Non-compliance and patching errors

Updates commence upon device startup. Devices not meeting update compliance are monitored, and their users are assisted by the Cyber Security or Service Desk teams to ensure updates are applied. Non-compliant devices may be temporarily isolated from the network until compliance is achieved.

Widespread errors

Should any update cause widespread errors or break functionality of systems then the patch deployment will be ceased and affected devices rolled back to their previous state until a resolution or workaround has been implemented before redeployment.

Non-Provide managed devices

These devices, if non-compliant, are not isolated but may be subject to risk mitigation measures. Non-compliance will prompt contact from Provide’s cyber security team to supplier account management or technical teams for resolution, potentially escalating to the contracts and legal team if necessary.

7. Tools and technologies

Windows Updates Deployment:

Windows updates are managed through a combination of SCCM (System Center Configuration Manager) and a local PowerShell script (PSWindowsUpdate). SCCM ensures timely deployment of Microsoft and 3rd party updates, while the PSWindowsUpdate script facilitates daily update checks directly from Microsoft. This dual approach ensures comprehensive coverage and efficient patch management.

Update Distribution:

Daily updates sourced from PatchMyPC and Microsoft are deployed by SCCM to all applicable client devices within our network. Additionally, Windows 10 and 11 devices run a local PowerShell script hourly to obtain updates directly from Microsoft, minimizing the risk of a single point of failure. Similarly, server operating systems execute a local PowerShell script on the second Wednesday and Thursday of each month, retrieving updates directly from Microsoft to bolster reliability.

Hardware Related Updates:

Device drivers, BIOS firmware, and other hardware-related updates are applied during device logon using Dell Command Update. This ensures that our systems remain up to date with the latest hardware enhancements and fixes.

Update Monitoring and Response:

Monitoring of updates is carried out through Microsoft Defender for Endpoint (MDE) and LanSweeper. These tools provide visibility into newly released updates and track their installation status across devices. Any instances of updates failing to install are promptly investigated by our Infrastructure team, who deploy fixes as soon as possible to maintain system integrity.

Cybersecurity Alert Handling:

The Infrastructure team receives Cyber Alerts and CareCERTs from NHS England, highlighting critical vulnerabilities that demand immediate attention. Additionally, a weekly roundup of top vulnerabilities is provided to stay proactive in addressing potential security risks.

8. Roles and Responsibilities

To enable the Patch management policy to work effectively, staff at all levels within Provide will need to play their part, some of the key responsibilities are listed below:

8.1. Chief Officers

• Ensuring procedures are in place within their directorates to ensure staff are aware of their responsibilities contained within this policy and that these responsibilities are adhered to.

8.2. Director – IT & Systems

• Implementation and regular review of this policy.

• Leading investigations into reported breaches of this policy.

• Ensuring appropriate software licences are held by Provide.

8.3. Technology Operations Manager

• Ensuring that the list of pilot devices is up to date and that the testers using these devices understand that it is an important part of their role to feedback to the Provide Technology Team.

• Responsible for liaising with any 3rd party suppliers and system owners to ensure compatibility of patches against non-core systems.

• Ensuring that an appropriate level of documentation is kept so that decisions made in relation to releasing patches (or not releasing) is of a high standard and can be audited if required.

• Ensuring the Infrastructure Team fully execute their responsibilities in an effective and efficient manner.

8.4. Line Managers

• Ensuring that their staff have received appropriate training relating to Information Security and the use of IT Systems.

• Ensuring their staff have read and understood this policy.

8.5. All Staff

• Should be aware that there may be a temporary impact to network and PC performance during the patch deployment.

• Must ensure all desktops, laptops and tablets issued to them are regularly connected to the Provide network.

• Responsible for contacting the Technology Service Desk to report problems at the earliest opportunity.

• Adherence to the organisation’s IT related policies

• Ensuring IT equipment is used in an appropriate manner and only for work purposes.

8.6. Infrastructure Team

• Patch management implementation.

• Ensuring all known and reasonable precautions are in place to reduce network vulnerabilities while keeping the network operating.

• Ensuring that the business is aware of the dates that patches are to be released.

8.7. Technology Team

• Ensuring that all Technology staff are familiar with this policy.

• Each member of the Technology department is responsible for the accuracy of the data they enter into Provide’s IT systems and databases.

• Ensuring that high quality advice and guidance in relation to patch management is provided.

Appendix A: Server Maintenance Windows

We have two main categories of Servers, how we manage and patch our servers depend on the categorisation. The definitions and categories are:

1. Non-critical/ highly available/ redundant – These servers are either running non-critical systems or services, or servers which are linked in a highly available (HA)/ redundant state; in which another server can automatically take over should one become unavailable.

2. Critical – Servers in this category are running business critical systems or services which would have a detrimental impact to users should this system/ service becoming unavailable during its required operating hours. These servers also lack a linked server which could automatically take over should the primary server cease to function.

Category 1 servers maybe updated at any time as they do not provide business critical functions and will not impact users should the service stop for a time during patching. Servers in HA sets will be separated out into different schedules to prevent system outage. However, this might be at any time the infrastructure team deems reasonable to ensure successful patching and effective cyber security.

Server Maintenance window Everyday 01:00 – 05:00

Category 2 servesmay be updated at any time in the event of an urgent/ critical update requiring patching immediately to ensure the integrity and security of Provide’s IT system and data.

EQUALITY IMPACT ASSESSMENT

TEMPLATE: Stage 1: ‘Screening’

Name of project/policy/strategy (hereafter referred to as “initiative”):

Patch Management Policy

Provide a brief summary (bullet points) of the aims of the initiative and main activities:

To ensure that Provide desktops, laptops and tablets have security patches implemented in an appropriate time frame.

Project/Policy Manager: Assistant Director – IT & Systems Date: 2nd February 2024

This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.

Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.

Equality neutral

Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?

Neutral

Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.

No Impact

Guidelines: Things to consider

Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.

The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.

Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.

Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan.

Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?

It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.

It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.

EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:

(To be used where the ‘screening phase has identified a substantial problem/concern)

This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.

Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?

Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?

Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?

Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.

Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?

Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.

Guidelines: Things to consider

An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised.

It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative.

The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action.

If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.

Further information:

Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.efa.org.uk – Employers forum on age