Regular application of vendor-issued critical security updates and patches are necessary to protect Damoov data and systems from malicious attacks and erroneous function. All electronic devices connected to the network including servers, workstations, firewalls, network switches and routers, tablets, mobile devices, and cellular devices routinely require patching for functional and secure operations.
Software is critical to the delivery of services to Damoov customers and Damoov users. This policy provides the basis for an ongoing and consistent system and application update policy that stresses regular security updates and patches to operating systems, firmware, productivity applications, and utilities. Regular updates are critical to maintaining a secure operational environment.
This policy applies to all Damoov employees and sub-contractors who create, deploy, or support application and system software.
All system components and software shall be protected from known vulnerabilities by installing applicable vendor supplied security patches. System components and devices attached to the Damoov network shall be regularly maintained by applying critical security patches within thirty (30) days after release by the vendor. Other patches not designated as critical by the vendor shall be applied on a normal maintenance schedule as defined by normal systems maintenance and support operating procedures.
A regular schedule shall be developed for security patching of all Damoov systems and devices. Patching shall include updates to all operating systems as well as office productivity software, database software, third-party applications (e.g. Mongo DB, Microsoft services, etc.), and mobile devices.
Most vendors have automated patching procedures for their individual applications. There are a number of third-party tools to assist in the patching process and Damoov should make use of appropriate management software to support this process across the many different environments. The regular application of critical security patches is reviewed as part of normal change management and audit procedures.
On-demand documented procedures and evidence of practice should be in place for this operational policy as part of the Damoov internal systems change management and update procedures. Examples of adequate controls include:
Employees found in policy violation may be subject to disciplinary action, up to and including termination.
This policy is to be distributed to all Damoov employees and sub-contractors responsible for support and management.