Acceptable Practices for Server Patch Management

Revised: 8 Dec 2015 by ITSO

A supported operating system must be used for server in which vendor can provide timely security patches on known and published vulnerabilities. ITSO recommends to follow the National Vulnerability Database (NVD) ratings for security risk classification and patch management, applying high severity (score of 7.0-10.0) security patches within 4 weeks of publish, medium severity (score of 4.0-6.9) and low severity (0.0-3.9) within 12 weeks. On very high severe vulnerability that will cause instantaneous exploitable threat to the system, ITSO would recommend to apply patch or remediation immediately.

As a general practice, a system upgrade shall be scheduled no longer than every 12 weeks to apply all severity levels of patches to a server operation system.

ITSO will publish a checklist of high severity security patches on all supported operation systems to facilitate the tracking of required patches to be applied.

Related Links

  • NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance.