Cyber Security Policy Manual

P OLICY 1) IT Administrators must review, evaluate, and appropriately apply security updates and software patches to systems, applications and network devices in a timely manner. If patches cannot be applied in timely manner due to hardware or software constraints, other mitigating controls must be evaluated and implemented to reduce the risk to an acceptable level. 2) In order to protect the City’s systems, applications and confidential information, IT Administrators must apply security updates and software patches in accordance with the specific timeframes here: a. For critical or out of band updates (emergency cycle) – security updates and software patches must be tested for 2 days and then deployed to all production systems and applications immediately after. b. For important updates or updates that are released within the normal window (normal cycle) – security updates and software patches must be tested for 2 weeks and then deployed to all production systems and applications immediately after. 3) In the event of a security vulnerability or incident, devices may be removed from the network or isolated. IT Administrators will be contacted to identify and resolve the issue. 4) Each vulnerability alert and patch release must be evaluated to ensure that it applies to the City’s systems and applications prior to taking any action in order to avoid unnecessary patching. 5) Automated tools must be used to deploy security updates and software patches to systems and applications. Manual patching is acceptable for critical systems and applications. 6) Vulnerability scans must be conducted against all systems, applications and network devices to identify vulnerabilities related to missing security updates and software patches. The scan results must be evaluated and communicated to IT Administrators. IT Administrators must mitigate all identified vulnerabilities according to the timeframes defined in the Vulnerability Management Policy. 7) All security updates and software patches must be tested prior to deployment to production systems and applications. 8) IT Administrators must ensure that all systems, applications and network devices are fully patched before production migration. 9) A back out plan that allows safe restoration of systems and applications to their pre-patch state must be devised prior to security update and software patch deployments. The plan can be executed in the event that the patch has unforeseen effects.

Cyber Security Policy Manual

15