What the FFIEC, PCI, and NCUA all say about Patch Management

Based on our observance, 2013 should be labeled as “the year of patch management.” We have seen a significant increase by credit unions in the discussion and adoption of patch management systems to follow the guidelines created by the FFIECPCI, and NCUA.

Patch management is a key requirement in protecting systems from attacks by ensuring that software is repaired and void of known vulnerabilities – vulnerabilities being the primary target of most attacks.

If you follow the guidelines set forth by these key regulatory bodies regarding patch management, you will see some very clear goals and objectives:

“…effective patch management programs include specific information on monitoring software vulnerabilities and identifying patches.” – NCUA

“…obtain the patch from a known, trusted source.” – FFIEC

“All critical systems must have the most recently released, appropriate software patches to protect against exploitation and compromise of cardholder data by malicious individuals and malicious software” – PCI

Manually installing the latest software patches on systems is no longer an accepted practice, and definitely not in compliance with the above-mentioned guidelines. Audits will focus on the process to verify that the patch management solution:

  1. Includes detailed reports on each system and its patch status.
  2. Verifies that the patch came from a trusted source.
  3. Identifies when the patches were installed.
  4. Allows the ability to remove a patch if its installation causes problems with key applications.
  5. Allows the ability to mark or label patches that were not installed.
  6. Is done on a regularly scheduled, frequent basis.

Btech offers an affordable patch management solution that accomplishes all of these goals. With our managed patch management service, there is no hardware or software to buy. A senior Btech engineer ensures that patches for all tier-1 applications are deployed on a bi-monthly basis, with detailed “pre” and “post deployment reports created and provided to our clients validating the patch process.

For more information, or a free demonstration of how our managed patch management service works, please contact me at 626-397-1045 or leebird@btechonline.com.