# Patch Management Policy ## Objective The purpose of this policy is to define the way in which FundApps manages patching of its Information System. ## Scope The policy applies to all FundApps managed Information Systems. ## Policy ### End user computers End user computers must receive system patches automatically. Users must not be able to defer patching for more than 30 days. ### Servers #### Proxy servers Proxy servers must be cycled at least on a monthly basis, and must be built using an image including the latest system patches. #### Other servers Other servers must receive system patches at least every 3 months. ### Cloud Provider–Managed Infrastructure and Services FundApps infrastructure relies primarily on serverless and managed cloud services, where the cloud provider (AWS) maintains the underlying operating system and environment. * Cloud Provider Responsibility: Patching for the host OS and managed runtime environments is the responsibility of the cloud provider, as defined by the [Shared Responsibility Model.](https://aws.amazon.com/compliance/shared-responsibility-model/) * Application Component Management: FundApps is responsible for managing the security of application code, custom components, and deployment artefacts. All custom images and application dependencies must be regularly assessed for vulnerabilities and managed in accordance with the [Vulnerability Management Policy.](/client-portal/-LubIC9uIsME-_T0mNXu/fundapps-policies/infosec/vulnerability-management.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://policies.fundapps.co/client-portal/-LubIC9uIsME-_T0mNXu/fundapps-policies/infosec/patch-management-policy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.