ASD's Blueprint for Secure Cloud

Patch Applications

This page provides a template and guidance to assist organisations in documenting their approach to patching applications, as per the Essential Eight Maturity Model, associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 7 minutes

Applicability

The Patch Applications mitigation strategy is applicable to the appropriate patching of applications for the following components of <SYSTEM-NAME>:

  • Endpoints (Windows laptops and desktops)
  • <ON-PREMISES SERVERS>

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Maturity Level

Targeted:<TARGET-LEVEL>
Currently Assessed:<ASSESSED-LEVEL>

Implementation

Asset discovery

<ASSET-DISCOVERY-TOOL> is used to scan for all assets within <SYSTEM-NAME>.

<ASSET-DISCOVERY-TOOL> performs an asset discovery scan on a <FORTNIGHTLY> basis.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Vulnerability scanning

<VULNERABILITY-SCANNING-TOOL> is used to scan for all application vulnerabilities on endpoints and servers within <SYSTEM-NAME>. <VULNERABILITY-SCANNING-TOOL> is configured to update its vulnerability database on a <nightly> basis.

Windows endpoints

<VULNERABILITY-SCANNING-TOOL> is configured to scan all Windows endpoints discovered by <ASSET-DISCOVERY-TOOL>, performing vulnerability scans on a weekly basis.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Hybrid servers

<VULNERABILITY-SCANNING-TOOL> is configured to scan all hybrid servers discovered by <ASSET-DISCOVERY-TOOL>, performing vulnerability scans on a daily basis.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Servers for online services

<SYSTEM-NAME> does not include the hosting of online services, nor does it leverage the use of online services within <ORGANISATION-NAME> as part of its operation, and as such the scanning of vulnerabilities in these services is not applicable.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Patching

Windows endpoints

Patches for all applications on windows endpoints are managed and deployed using Microsoft Intune, and applied using Microsoft Defender for Endpoint.

In accordance with the <SYSTEM-NAME> Vulnerability and Patch Management Process, vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products discovered by <VULNERABILITY-SCANNING-TOOL> are applied within 48 hours where these vulnerabilities are assessed as critical by vendors or when working exploits exist, and applied within 2 weeks otherwise.

Patches for vulnerabilities in all other applications on <SYSTEM-NAME> endpoints are applied within 1 month.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Hybrid servers

Patches for all applications on hybrid servers are applied using <server patch deployment mechanism>.

In accordance with the <SYSTEM-NAME> Vulnerability and Patch Management Process, vulnerabilities in web browsers and security products discovered by <VULNERABILITY-SCANNING-TOOL> are applied within 48 hours where these vulnerabilities are assessed as critical by vendors or when working exploits exist, and applied within 2 weeks otherwise.

<SYSTEM-NAME> hybrid servers do not have office productivity suites, web browser extensions, email clients, PDF software (other than web browsers), or Adobe Flash Player installed.

Patches for vulnerabilities in all other applications on <SYSTEM-NAME> hybrid servers are applied within 1 month.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Servers for online services

<SYSTEM-NAME> does not include the hosting of online services, nor does it leverage the use of online services within <ORGANISATION-NAME> as part of its operation, and as such the application of patches for these services is not applicable.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Removal of unsupported applications

Windows endpoints

In accordance with the <SYSTEM-NAME> Vulnerability and Patch Management Process, <ORGANISATION-NAME> will monitor vendor support of applications used for all <SYSTEM-NAME> components, and ensure that all unsupported applications are removed prior to this support ending.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Hybrid servers

In accordance with the <SYSTEM-NAME> Vulnerability and Patch Management Process, <ORGANISATION-NAME> will monitor vendor support of applications used for all <SYSTEM-NAME> components, and ensure that all unsupported applications are removed prior to this support ending.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Servers for online services

<SYSTEM-NAME> does not include the hosting of online services, nor does it leverage the use of online services within <ORGANISATION-NAME> as part of its operation, and as such the removal of unsupported online services is not applicable.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Security & Governance

Design

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra