Software Update Policy (SUP)

Overview & Scope

Background

This document outlines the policy of patching and updating in place within different Pipe Ten services and service levels. This Patching Policy forms part of the overall Information Security Policy.

Outdated software can contain instability, vulnerability, no longer qualify for support and otherwise is not indicative of a secure IT environment.

It is necessary to ensure all software is regularly checked to be of the latest version, with all appropriate security and other patches applied as soon as possible.

Applicability / Scope

  • Pipe Ten Infrastructure
    • All inclusive, as per this policy
  • Fully Managed Hosting (with Control Panel Integration)
    • All inclusive, as per this policy
  • Shared, Virtual, Physical Self Managed Hosting (without Control Panel Integration)
  • Patch and Management Service (for Self Managed and Bespoke Hosting)

PLEASE NOTE: Schedules vary depending on type, see “Patching by Type”.

Security Maintenance & Management

Security Patching Policy

All hardware and operating systems connected to Pipe Ten’s networks, regardless of type or specification, are to be protected from malicious code and exploiting of software vulnerabilities through the deployment and installation of operation system (and other) security patches. Critical security patches should be installed across all Pipe Ten devices universally, as soon as available, in accordance with this policy.

Monitoring

Pipe Ten monitors all appropriate security mailing lists, forums, vendor alerts, industry news and its own security scanning and incidents, using both manual and automated means as part of a constantly evolving process. Pipe Ten aims to digest all monitored information with less than 48 hours of public release, for collation and analysis of risk/scope/urgency, to be dealt with through normal “Testing, Release & Installation” or “Accelerated Release” as further outlined below.

Testing, Release & Installation

Prior to making new patches available for installation, Pipe Ten will review and test said patches as and when they become available from the monitored sources on non-live or non-customer installations first. New vulnerabilities and patches are to be reviewed, tested and released for install no less than 72 hours after detection through monitoring. Pipe Ten aims to update all servers within scope to the latest reviewed/available patches within 10 working days or sooner (see accelerated patch release). If problems are encountered during the review and testing of any patches, they may be delayed or otherwise held back until such a time the problems are fixed or addressed through other means. If the delay or vulnerability is reviewed as posing significant customer risk without the opportunity to mitigate, Pipe Ten will notify the customer recommending course of action.

Accelerated Release

When an exploit to a vulnerability exists or is in use, prior to the release of a patch then Pipe Ten will seek to mitigate the risks through other means or accelerated release. In the event that a vulnerability or patch be deemed significant, Pipe Ten will seek to accelerate the testing and deployment of said patches in advance of the defined schedules.

Compliance Monitoring & Reporting

Pipe Ten monitors the versions and patch status of software within scope on each server/service, being alerted to any old versions to be addressed in line with this policy.

None Patched Devices

In circumstances where it is not possible to install patches due to being unable to agree mutual outage window, customer reliance on older/no longer updateable or supported versions of softwares; Pipe Ten reserves the right to discontinue monitoring, service or guarantees until the situation is resolved. This includes but is not limited to; removing the device from the Pipe Ten network.

Patching by Type

Windows Devices

Windows Operating System and other associated updates, are typically but not always released on the second Tuesday of each month. “Testing, Release & Installation” follows the schedules defined above. Urgent or out-of-schedule releases are handled as per “Accelerated Release” above.

Linux Devices

Linux deployments, primarily consisting of CentOS operating system and other associated software, are monitored through repository updates and synchronisation. “Testing, Release & Installation” follows the schedules defined above with exception of kernel updates, which may be held back to avoid reboots/downtime on non-redundant where policy/risk/scope allows. Urgent or out-of-schedule releases are handled as per “Accelerated Release” above.

XenServer Devices

XenServer deployments, and associated software, is monitored through Citrix security bulletins with both automated and manual verification. Testing, Release & Installation follows the schedules defined above with exception of pooled hosts, which may be held back for stability purposes where policy/risk/scope allows. Urgent or out-of-schedule releases are handled as per “Accelerated Release” above.

Firewall Devices

pfSense and other firewall deployments, plus associated packages/scripts, are monitored through pfSense and other blog / security bulletins, with automated verification of latest appropriate version. “Testing, Release & Installation” schedule is less frequent than that defined above, with phased major version upgrades across all devices within scope. Urgent or out-of-schedule releases are handled as per “Accelerated Release” above.

Network Devices

Cisco, Dell & other networking deployments, plus associated addons/scripts, are monitored through Cisco and Dell bulletin subscription, with manual verification of latest appropriate version no less than once per quarter. “Testing, Release & Installation” follows the schedules defined above with exception of Installation, which may be less frequent is risk allows. Urgent or out-of-schedule releases are handled as per “Accelerated Release” above.

Hardware Firmware

Hardware Firmware and systems management devices, primarily Dell and Raritan are monitored for firmware through semi-automated methods. “Testing, Release & Installation” schedule is less frequent than those defined above, occurring once per quarter due to reduced exploit scope.

Other Devices & Software

All other devices and their associated follow the policies outlined above.

Reporting

To report an improvement, problem or feedback on the Pipe Ten Patching policy, please contact one of the listed contributors listed on the cover sheet.

Last modified 5th December 2017 by Carl Heaton