6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release.
Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
6.2.a Examine policies and procedures related to security- patch installation to verify processes are defined for:
• Installation of applicable critical vendor-supplied security patches within one month of release.
• Installation of all applicable vendor-supplied security patches within an appropriate time frame (for example, within three months).
6.2.b For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify the following:
• That applicable critical vendor-supplied security patches are installed within one month of release.
• All applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months).
6.2.a Examine policies and procedures related to security- patch installation to verify processes are defined for:
• Installation of applicable critical vendor-supplied security patches within one month of release.
• Installation of all applicable vendor-supplied security patches within an appropriate time frame (for example, within three months).
6.2.b For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify the following:
• That applicable critical vendor-supplied security patches are installed within one month of release.
• All applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months).