Commit fae3289e authored by Marcello Evangelista's avatar Marcello Evangelista

Adding the patching policy and schedule.

parent f5cccc03
# Purpose
The purpose of this policy is to establish a solid and consistent patching routine to be used across the whole company including, and not limited to, vendor solutions such as hardware, XaaS and/or any external extensions of OlinData's infrastructure.
# Scope
This policy applies to all OlinData BV employees, contractors, vendors and agents with a OlinData BV-owned or personally-owned computer or workstation used to connect to the OlinData BV network and/or used to deliver work on behalf of the company.
# Policy
1. Personal Hardware
1. Personal-level hardware should be patched accordingly to the definitions from the Infosec Team. Bulletins will be made available on Slack and Email regarding critical threats or news regarding the schedule.
1. The preferred patching day for Personal-level hardware is Friday, during the OlinData Day. This can be temporarily changed if a critical CVE is published or any internal breach happens.
1. The patching will be inspected by Stethoscope and the non-compliance with the patching schedule will represent a break of policy and may result in subsequent warnings.
1. All patching related to personal hardware should be carried by the owner with prior instruction from the Infosec Team Bulletins.
1. Cloud Infrastructure
1. All assets from the infrastructure should be deployed as code and follow the paradigm of immutable infrastructure.
1. The patching routine for infrastructure deployed over the cloud is to have the complete resource re-deployed. This should be the default behaviour for any resource deployed on thirdy-party platform providers.
1. The patching will be inspected by Stethoscope and the non-compliance with the patching schedule will represent a break of policy and may result in subsequent warnings.
1. All patching related to infrastructure deployed on thirdy-party platform providers will be done by the Infosec Team.
# Policy Compliance
1. Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
1. Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
1. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
# Revision History
Please check the commit history for this file.
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment