Cast Vulnerability and Patch Management Policy

Purpose

This policy provides the basis for an ongoing and consistent system and application update policy that stresses regular security updates and patches to operating systems and applications. Regular updates are critical to maintaining a secure operational environment.

Definitions

Patch – A software update comprised code inserted (or patched) into the code of an executable program. Typically, a patch is installed into an existing software program. Patches are often temporary fixes between full releases of a software package.

Remediation - An effort that resolves or mitigates a discovered vulnerability.

Vulnerability - Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Scope

This policy applies to all components of the information technology infrastructure deployed and managed by Cast, and its developed application.

Policy

General

All devices and services owned and maintained by Cast shall be regularly scanned for compliance and vulnerabilities. Vulnerabilities identified during the vulnerability/patch scan are to be remediated in a timely manner

Patching Exceptions

Patches on production systems may require complex testing and installation procedures.  In certain cases, risk mitigation rather than patching may be preferable.  The reason for any departure from the above standard and alternative protection measures taken shall be documented in writing for devices storing non-public data.  Deviations from normal patch schedules shall require the CEOs documented authorization.

Vulnerability and Patch Management Procedures

Procedures shall be established and implemented.  The process shall ensure that application and system vulnerabilities are:

  • Evaluated regularly and responded to in a timely fashion;
  • Documented and well understood by support staff;
  • Automated and regularly monitored wherever possible; and
  • Applied in a timely and orderly manner based on criticality and applicability of patches and enhancements.

Policy Compliance

Compliance Measurement

The Information Security team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

Exceptions

Any exception to the policy must be approved by the CEO in advance.

Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

This document was last updated on 03/10/2024.