Patch Management Policy

Objective

The purpose of this policy is to define the way in which FundApps manages patching of its Information System.

Scope

The policy applies to all FundApps managed Information Systems.

Policy

End user computers

End user computers must receive system patches automatically. Users must not be able to defer patching for more than 30 days.

Servers

Proxy servers

Proxy servers must be cycled at least on a monthly basis, and must be built using an image including the latest system patches.

Other servers

Other servers must receive system patches at least every 3 months.

Cloud Provider–Managed Infrastructure and Services

FundApps infrastructure relies primarily on serverless and managed cloud services, where the cloud provider (AWS) maintains the underlying operating system and environment.

• Cloud Provider Responsibility: Patching for the host OS and managed runtime environments is the responsibility of the cloud provider, as defined by the Shared Responsibility Model.

• Application Component Management: FundApps is responsible for managing the security of application code, custom components, and deployment artefacts. All custom images and application dependencies must be regularly assessed for vulnerabilities and managed in accordance with the Vulnerability Management Policy.