The software of platforms is managed, including operating systems and applications
Unpatched software is the most consistently exploited attack vector in breaches. Most successful attacks exploit vulnerabilities for which a patch has existed for months or years. Effective software management is not just about keeping software current: it is about maintaining a hardened baseline, removing unnecessary software, and ensuring that the patching process is reliable and measurable.
Implementation steps
- 1
Define and enforce a software hardening baseline
Create a hardening configuration for each operating system and application type in your environment, based on CIS Benchmarks or equivalent. The baseline should disable unnecessary services, enforce secure default configurations, and remove software not needed for the platform's function. Automate baseline enforcement through configuration management tools so drift is detected and corrected.
ansiblechefpuppetmicrosoft-intunejamf - 2
Implement a patch management process with defined SLAs
Deploy patches on a schedule with severity-based SLAs: critical patches within 15 days of release, high within 30 days, medium within 90 days. Use an automated patch management tool to deploy patches and report on coverage. Track patch compliance as a security metric reviewed at the management level.
microsoft-intunejamfansiblewsuscrowdstrike-falcon - 3
Remove end-of-life software from the environment
Maintain a list of software and OS versions that are no longer receiving security updates. Set a plan to migrate off or decommission EOL systems before (not after) vendor support ends. EOL systems that cannot be patched should be isolated, have compensating controls applied, and have a documented risk acceptance from the appropriate authority.
lansweeperqualystenablemicrosoft-intune
Evidence required
Patch compliance report
A recent report showing the percentage of systems patched within SLA by severity, across the managed environment.
- · Monthly patch compliance dashboard showing critical patch coverage
- · Qualys or Tenable patch report showing patched vs. unpatched systems
- · MDM patch status report for managed endpoints
Hardening baseline documentation
A documented hardening configuration baseline and evidence that it is being enforced.
- · CIS Benchmark-aligned hardening guide for the organization's primary OS
- · Configuration management code applying hardening controls (Ansible playbook, etc.)
- · Configuration compliance scan report showing deviations from baseline
Related controls
The hardware and firmware of platforms are managed
Platform Security
Data are destroyed according to policy when platforms or storage media are decommissioned
Platform Security
Log records are generated and made available for continuous monitoring
Platform Security
Installation and execution of unauthorized software are prevented
Platform Security