Information Systems Security Controls Guidance: Patching

Patching – Section 11(c)(9)(iv)

Section 11(c)(9)(iv) of the regulations require the entity to “establish a robust configuration management practice for information systems to include regular patching and updates made to operating systems and individual applications.

Patching is the process of installing pieces of software designed to update an existing program. These are often used to fix security vulnerabilities.

Microsoft updates typically occur overnight on Tuesdays. The following day is often called “Exploit Wednesday” because this is when systems are most likely to experience vulnerabilities. Thus, the IT department should push these regular updates on Wednesday after vulnerabilities have already been addressed to minimize security vulnerabilities.