Skip to main content

Patches and Vulnerabilities Policy

Purpose:

The purpose of this policy is to establish a framework for managing software patches and vulnerabilities within the Pitaka platform, ensuring that all systems are up-to-date and secure to mitigate risks associated with known vulnerabilities.

Scope:

This policy applies to all software, hardware, and systems utilized within the Pitaka platform, including third-party applications and services.

Policy

1. Patch Management:

A patch management program must be implemented to ensure timely identification, evaluation, and application of patches for all software and systems. Patches must be applied in accordance with the following timelines: Critical vulnerabilities: Within 24 hours High vulnerabilities: Within 72 hours Medium vulnerabilities: Within 1 week Low vulnerabilities: Within 1 month All patches must be tested in a controlled environment before deployment to production systems to minimize disruptions.

2. Vulnerability Assessment:

Regular vulnerability assessments must be conducted to identify and evaluate potential vulnerabilities in the Pitaka environment. Automated vulnerability scanning tools should be utilized to facilitate the detection of vulnerabilities in software and systems. Assessment results must be documented, and a remediation plan should be developed to address identified vulnerabilities.

3. Risk Prioritization:

Identified vulnerabilities must be prioritized based on their severity, potential impact, and exploitability. Critical and high vulnerabilities must be addressed as a priority to reduce the risk of exploitation. The risk assessment process must consider factors such as asset value, business impact, and threat landscape.

4. Documentation and Reporting:

All patches applied and vulnerabilities identified must be documented in a centralized repository. Detailed records must include the date of identification, severity rating, remediation actions taken, and responsible personnel. Regular reports on patching status and vulnerability management efforts must be provided to senior management.

This policy aligns with relevant regulations, including the Data Privacy Act of 2012 and the Cybercrime Prevention Act of 2012 in the Philippines. Compliance audits must be conducted periodically to ensure adherence to this policy and applicable legal requirements.

6. Training and Awareness:

All employees must receive training on the importance of patch management and vulnerability mitigation. Ongoing awareness programs should be implemented to keep employees informed about emerging vulnerabilities and security best practices.

7. Policy Enforcement:

Violations of this policy may result in disciplinary actions, including revocation of access, termination of employment, or legal consequences, depending on the severity of the violation. The IT security team is responsible for enforcing compliance with this policy and monitoring adherence to patch management practices.