Patches and security updates for Operating Systems and critical system components shall be installed.
Guidance
The following should be considered:
- Limit yourself to only install those applications (operating systems, firmware, or plugins ) that you
need to run your business and patch/update them regularly.
- You should only install a current and vendor-supported version of software you choose to use. It may
be useful to assign a day each month to check for patches.
- There are products which can scan your system and notify you when there is an update for an
application you have installed. If you use one of these products, make sure it checks for updates for
every application you use.
- Install patches and security updates in a timely manner.
The organization shall plan, perform, and document preventive maintenance and repairs on its critical system components according to approved processes and tools.
Guidance
The following should be considered:
- Perform security updates on all software in a timely manner.
- Automate the update process and audit its effectiveness.
- Introduce an internal patching culture on desktops, mobile devices, servers, network components,
etc. to ensure updates are tracked.
The organization shall prevent the unauthorized removal of maintenance equipment containing organization's critical system information.
Guidance
This requirement mainly focuses on OT/ICS environments.
The organization shall enforce approval requirements, control, and monitoring of maintenance tools for use on its critical systems.
Guidance
Maintenance tools can include hardware/software diagnostic test equipment, hardware/software packet
sniffers and laptops.
Maintenance tools and portable storage devices shall be inspected when brought into the
facility and shall be protected by anti-malware solutions so that they are scanned for
malicious code before they are used on organization's systems.
The organization shall verify security controls following hardware and software
maintenance or repairs/patching and take action as appropriate.