Contents
Patch management procedures
Requirement to Establish Patch Management Procedures (Article 10(3) RTS RMF)
As part of the ICT security policies, procedures, protocols and tools required under Article 9(2) DORA, financial entities must:
- develop,
- document, and
- implement
patch management procedures.
These procedures must support the resilience, continuity and availability of ICT systems, especially for those supporting critical or important functions.
Mandatory Components of Patch Management Procedures (Article 10(4) RTS RMF)
The patch management procedures must include all of the following elements:
Automated Identification and Evaluation of Patches and Updates
The procedures must:
- identify available software and hardware patches, and
- evaluate available updates,
using automated tools to the extent possible.
This ensures timely awareness of relevant patches applicable to ICT assets.
Emergency Patching and Updating Procedures
The procedures must:
- define emergency procedures for patching and updating ICT assets,
- ensure rapid action in situations requiring immediate remediation to mitigate critical vulnerabilities or threats.
These emergency procedures must be clearly established, documented and available for operational use.
Testing and Deployment of Patches and Updates
The procedures must cover:
- testing of software and hardware patches, and
- deployment of such patches and updates,
as referenced in:
- Article 8(2)(b)(v) RTS RMF (separation of environments),
- Article 8(2)(b)(vi) RTS RMF (testing in separated environments),
- Article 8(2)(b)(vii) RTS RMF (controlled testing in production environments).
Testing must ensure that:
- patches do not compromise system stability,
- confidentiality, integrity, availability, and authenticity of ICT systems are maintained during deployment.
Deadlines and Escalation Procedures
The procedures must:
- define deadlines for installation of software and hardware patches and updates,
- establish escalation procedures where deadlines cannot be met.
These deadlines and escalation mechanisms must align with:
- the risk associated with the vulnerability being addressed,
- the classification of ICT assets under Article 8(1) DORA, and
- the overall ICT risk profile of the financial entity.