6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release.
Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
6.2.a Examine policies and procedures related to security- patch installation to verify processes are defined for:
• Installation of applicable critical vendor-supplied security patches within one month of release.
• Installation of all applicable vendor-supplied security patches within an appropriate time frame (for example, within three months).
6.2.b For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify the following:
• That applicable critical vendor-supplied security patches are installed within one month of release.
• All applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months).
There is a constant stream of attacks using widely published exploits, often called “zero day” (an attack that exploits a previously unknown vulnerability), against otherwise secured systems. If the most recent patches are not implemented on critical systems as soon as possible, a malicious individual can use these exploits to attack or disable a system, or gain access to sensitive data.
Prioritizing patches for critical infrastructure ensures that high-priority systems and devices are protected from vulnerabilities as soon as possible after a patch is released. Consider prioritizing patch installations such that security patches for critical or at-risk systems are installed within 30 days, and other
lower-risk patches are installed within 2-3 months.
This requirement applies to applicable patches for all installed software.