Sub-Requirement 6.2 (Update:v3.0 11/2013)
6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. (Maps to prior Requirment 6.1)
Illustrative Controls and the TIBCO LogLogic Solution
Security patch management includes deploying security updates and related software releases into the production environment. The goal of security patches is to help the organization maintain system and data integrity and prevent exploitation of known vulnerabilities.
This process helps organizations maintain operational efficiency and effectiveness, overcome security vulnerabilities, and sustain the stability of the production environment. A number of security vulnerabilities can exist in the IT environment that can be exploited and lead to downtime and loss of revenue and/or intellectual property.
Organizations must determine and maintain a known level of trust within the IT environment and ensure that vendor-supplied security patches have been properly tested and installed within a reasonable period of time.
To satisfy this requirement, administrators must continually ensure that all security patches have been installed on in-scope systems.