Description
Applicability
-
The intended audience includes, but is not limited to, custodians and/or owners of an information resource.
Implementation
-
1
Custodians of information resources shall ensure that vendor supplied security patches are routinely acquired, systematically tested prior to implementation where practical, and installed promptly.
-
1.1
Security patches categorized as "critical" by the vendor must be installed within 30 days of release.
-
1.2
Security patches categorized as "high" by the vendor must be installed within 45 days of release.
-
1.3
Other security patches must be installed within 60 days of release.
-
1.1
-
2
Custodians of information resources shall remove unnecessary software, system services, and drivers.
-
3
Custodians of information resources shall enable recommended security features included in vendor-supplied systems including, but not limited to, firewalls, virus scanning and malicious code protections, and other file protections.
-
4
Custodians of information resources shall disable or change the password of default accounts before placing the resource on the network.