ITPROSEC Security receives notifications from Vendors and other 3rd party security feeds, the ITPROSEC Threat Assessment Group (STAG) as well as a monthly approved firmware review within ITPROSEC Security DEV OPS. ITPROSEC Security will also proactively make assessments of the firmware version upgrades needed to enable new required features.
TABLE OF CONTENTS
- ITPROSEC Security Threat Assessment Group (STAG)……… 3
|Document ID||SOC – Firmware Version Upgrade & Patches of Security Devices|
|Process Primes||ITPROSEC SOC|
The purpose of this document is to describe the ITPROSEC Security Patch Management Program for managed security devices.
ITPROSEC Security receives notifications from Vendors and other 3rd party security feeds, the ITPROSEC Threat Assessment Group (STAG) as well as a monthly approved firmware review within ITPROSEC Security DEV OPS.
ITPROSEC Security will also proactively make assessments of the firmware version upgrades needed to enable new required features.
This document deals with the process around patches to customer managed security devices.
This document is
intended for ITPROSEC Security MSS Customers
1.1.1 ITPROSEC Security Threat Assessment Group (STAG)
The ITPROSEC Security Threat Assessment Group (STAG) holds regularly recurring meetings to review the following:
- All security threats and
vulnerabilities that could potentially affect ITPROSEC and its customers.
- Reviews email alerts sent to ITPROSEC by our vendors and prioritizes alerts for review and lab testing
1.1.2 Security build – monthly firmware reviews
ITPROSEC Security prime hosts a monthly firmware build review and works with the internal Security Dev Ops team to determine device firmware based on the alerts and patches deployed by the vendors. This is done to ensure ITPROSEC remains current and support is sustained by the vendors.
1.1.3 Vendor Notifications and Feeds regarding firmware versions
There are several vendor notifications and feeds relating to patches for security devices. All Vendor notifications are reviewed by the ITPROSEC Support team and Security prime and prioritized according to urgency and impact.
- 1.1.4 Security Review of Patch Notifications
Patch notifications are reviewed to determine if they are required to address device functionality or vulnerability issues. Patch reviews are prioritized based on threats to security posture.
1.1.5 Patching Required?
Is the Upgrade or Patch warranted, given the assessment?
When a potential issue is identified ITPROSEC Security assesses its relevance and impact to the customer base managed to determine risk and exposure.
- Once the exposure to the platforms is identified a schedule for upgrading will be created
by following the standard
change management process.
- ITPROSEC will test the upgrade patch or version
in the TEST lab and schedule on an as needed
basis with the customer through Change management processes.
- Emergency patches are deployed through Incident management.
- Determining the severity of the exposure is required to ensure the customer’s environment and business impact is minimized.
- ITPROSEC will test the upgrade patch or version in the TEST lab and schedule on an as needed basis with the customer through Change management processes.
1.1.6 LAB TESTING prior to deployment
ITPROSEC takes every possible measure to minimize potential vulnerabilities and impact to its customers, As such; ITPROSEC performs patch level testing on the ITPROSEC lab devices. (Applicable devices only)
Testing can be performed on the firmware level only. End to End customer testing cannot replicated in the Lab environment.
Emergency firmware updates/patches to firmware are normally a repaired version of existing firmware and have been tested by the vendor prior to distribution.
1.1.7 Identify Severity
Severity is identified by comparing device firmware and configuration against confirmed or probable functionality and vulnerability issues.
1.1.8 Follow incident management process for emergency changes
Emergency changes are carried out with urgency. ITPROSEC Security reaches out to contacts to schedule emergency service windows. In the event that a customer cannot be contacted, ITPROSEC Security may proceed with an emergency configuration/firmware change to mitigate ongoing, re-occurring or imminent threats.