Questions 53 to 59 — patch and vulnerability management

Table 1 lists who is responsible for answering each question.

Context and help for questions 53 to 59

Questions to answer

53. Is the service provider responsible for patching all the components that make up the public cloud service?
    
    1. If no — has the government organisation identified which components the service provider is responsible for and which it is responsible for?
54. Does the service provider’s terms of service or service level agreement include service levels for patch and vulnerability management that define the maximum exposure window?
55. Does the government organisation currently have an effective process for patch and vulnerability management?
56. Has the government organisation ensured that all of the components that it is responsible for have been added to its process for patch and vulnerability management?
57. Is the government organisation subscribed to, or monitoring, appropriate sources for vulnerability and patch alerts for the components that it is responsible for?
58. Does the service provider allow its customers to perform regular vulnerability assessments?
59. Do the terms of service or service level agreement include a compensation clause for breaches caused by vulnerabilities in the service?
    
    1. If yes — does it provide an adequate level of compensation if a breach occurs?

Where to find the service provider’s answers

You can get the answers to the service provider’s questions from a combination of:

• direct communication with the provider
• the provider’s policies and audit reports on their website
• previous assessments by other government organisations.

If you do not have the service provider’s answers

If you need higher assurance for the information, consider a different public cloud service if:

• the provider does not give you their answers or other information you need for your risk assessment
• you cannot get acceptable third-party assurance
• there are no ways to lessen the risk of this incomplete information.

Independent assurance reports — New Zealand Information Security Manual

Context and help for questions 53 to 59

The following guidance gives you context and help for answering questions about patch and vulnerability management.

Direct contracts — check for information you can use

Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:

• joining the Cloud Capabilities Network (CCN), if you’re not already a member
• searching the CCN’s chart of risk assessments for public cloud services.

NZ government agreements and contracts — check for certification documents you can use

You can use certification documents to help with your risk assessment of using either:

• an all-of-government agreement
• a Marketplace contract.

To get these, contact the security team at the Department of Internal Affairs at ictassurance@dia.govt.nz.

Patch management

The National Institute of Standards and Technology (NIST), defines patch management as the systematic notification, identification, deployment, installation and verification of code revisions for:

• operating systems
• application software.

These code revisions are known as:

• patches
• hot fixes
• service packs.

Patch management — NIST

Vulnerability management

This is part of your organisation’s continuous monitoring of information security. It identifies vulnerabilities that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.

Vulnerability management — NIST

Broad network access and timely patches

One of the benefits of adopting and using public cloud services is improved management of patches and vulnerabilities.

Vulnerabilities exist in all types of information systems. However, public cloud has a characteristic of broad network access — your people have access to the services from any location and many different devices.

This means that government organisations need to make sure that patches are done in a timely manner.

Essential characteristics of cloud services

Who patches each component

Government organisations need to be sure they know who is responsible for patching each component of a public cloud service — for example, the:

• application
• operating system
• hypervisor software
• application programming interfaces (APIs).

The type of service model you’re using usually determines who is responsible for the management and maintenance of each component. It will be either the:

• government organisation
• service provider
• combination of both.

Service models for public cloud

When the service provider is responsible

Government organisations need to make sure that the terms of service and service level agreement specify the maximum time period allowed between a patch being:

• released by a vendor
• applied to all affected systems.

This is called the maximum exposure window.

When the government organisation is responsible

Government organisations need to make sure that it:

• has an effective patch management process
• monitors appropriate sources for vulnerability alerts.

These ensure that you can identify and deploy patches in a timely manner.

Examples of vulnerability alerts

For vulnerability alerts, the government organisation should monitor, for example:

• the vendor’s website and mailing lists
• databases for common vulnerabilities and exposures
• the National Cyber Security Centre website.