ITPROSEC Security Patch Management Program for Security Devices

ITPROSEC Security receives notifications from Vendors and other 3rd party security feeds, the ITPROSEC Threat Assessment Group (STAG) as well as a monthly approved firmware review within ITPROSEC Security DEV OPS. ITPROSEC Security will also proactively make assessments of the firmware version upgrades needed to enable new required features.

TABLE OF CONTENTS

1.       INTRODUCTION…………………………………………………… 2

Purpose……………………………………………………………………….. 2

Document Scope……………………………………………………………. 2

Audience……………………………………………………………………… 2

  1. ITPROSEC Security Threat Assessment Group (STAG)……… 3
    1. Security build – monthly firmware reviews………………………… 3
    1. Vendor Notifications and Feeds regarding firmware versions.. 3
    1. ITPROSEC Security Review of Patch Notifications…………….. 3
    1. Patching Required?…………………………………………………….. 3
    1. LAB TESTING prior to deployment…………………………………. 4
    1. Identify Severity…………………………………………………………. 4
    1. Follow incident mgt process for emergency changes………….. 4

Document Information

Document ID SOC – Firmware Version Upgrade & Patches of Security Devices
Version 1.2
Process Primes ITPROSEC SOC

Document History

1.    INTRODUCTION

Purpose

The purpose of this document is to describe the ITPROSEC Security Patch Management Program for managed security devices.

ITPROSEC Security receives notifications from Vendors and other 3rd party security feeds, the ITPROSEC Threat Assessment Group (STAG) as well as a monthly approved firmware review within ITPROSEC Security DEV OPS.

ITPROSEC Security will also proactively make assessments of the firmware version upgrades needed to enable new required features.

Document Scope

In Scope

This document deals with the process around patches to customer managed security devices.

Audience

This document is intended for ITPROSEC Security MSS Customers

1.1.1   ITPROSEC Security Threat Assessment Group (STAG)

The ITPROSEC Security Threat Assessment Group (STAG) holds regularly recurring meetings to review the following:

  • All security threats and vulnerabilities that could potentially affect ITPROSEC and its customers.
    • Reviews email alerts sent to ITPROSEC by our vendors and prioritizes alerts for review and lab testing

1.1.2   Security build – monthly firmware reviews

ITPROSEC Security prime hosts a monthly firmware build review and works with the internal Security Dev Ops team to determine device firmware based on the alerts and patches deployed by the vendors. This is done to ensure ITPROSEC remains current and support is sustained by the vendors.

1.1.3   Vendor Notifications and Feeds regarding firmware versions

There are several vendor notifications and feeds relating to patches for security devices. All Vendor notifications are reviewed by the ITPROSEC Support team and Security prime and prioritized according to urgency and impact.

  1. 1.1.4   Security Review of Patch Notifications

Patch notifications are reviewed to determine if they are required to address device functionality or vulnerability issues. Patch reviews are prioritized based on threats to security posture.

1.1.5   Patching Required?

Is the Upgrade or Patch warranted, given the assessment?

When a potential issue is identified ITPROSEC Security assesses its relevance and impact to the customer base managed to determine risk and exposure.

  • Once the exposure to the platforms is identified a schedule for upgrading will be created by following the standard change management process.
    • ITPROSEC will test the upgrade patch or version in the TEST lab and schedule on an as needed basis with the customer through Change management processes.
      • Emergency patches are deployed through Incident management.
    • Determining the severity of the exposure is required to ensure the customer’s environment and business impact is minimized.

1.1.6   LAB TESTING prior to deployment

ITPROSEC takes every possible measure to minimize potential vulnerabilities and impact to its customers, As such; ITPROSEC performs patch level testing on the ITPROSEC lab devices. (Applicable devices only)

Testing can be performed on the firmware level only. End to End customer testing cannot replicated in the Lab environment.

Emergency firmware updates/patches to firmware are normally a repaired version of existing firmware and have been tested by the vendor prior to distribution.

1.1.7   Identify Severity

Severity is identified by comparing device firmware and configuration against confirmed or probable functionality and vulnerability issues.

1.1.8   Follow incident management process for emergency changes

Emergency changes are carried out with urgency. ITPROSEC Security reaches out to contacts to schedule emergency service windows. In the event that a customer cannot be contacted, ITPROSEC Security may proceed with an emergency configuration/firmware change to mitigate ongoing, re-occurring or imminent threats.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: