Cyber Essentials Security Update Management
The cyber essentials security update management controls ensures that devices and software are not vulnerable to known security issues for which fixes are available.
Cyber Essentials - Security Update Management Requirements
Introduction
Software is almost never released in a perfect condition. Once a program is released to the public, the thousands and millions of people who use it do so in many different ways. That’s when the majority of bugs are discovered! When bugs are discovered, software developers find ways to fix the problems, and release those fixes as software updates. Old and outdated software that has not been updated is therefore vulnerable to hackers and cyber criminals.
The application of software updates is particularly important important as the release of software update notes often reveal the patched-up exploitable entry points to the public. Public knowledge of these security holes leaves your organisation easy prey for malicious users who are looking for a way to gain entry to your business and its sensitive data.
The cyber essentials certification therefore requires organisations to keep all software up to date.
Cyber Essentials – Security Update Management Requirements
The cyber essentials certification requires organisations to keep all its software up-to-date. Software must be:
• Licensed and supported
• Removed from devices when no longer supported
• Have automatic updates enabled where possible
• Updated, including applying any manual configuration changes required to make the update effective within 14 days* of an update being released (where the update fixes a vulnerability with a severity the product vendor describes as ‘critical’ or ‘high risk’ or where there are no details of the vulnerability severity level).
