5.1.1.4 Process to record and react to the availability of new security updates based on a risk-benefit assessment

From aptrust
Jump to: navigation, search


5.1.1.4 Process to record and react to the availability of new security updates based on a risk-benefit assessment
Status Ready for review
Compliance Rating Fully compliant
Responsible

The repository shall have a process to record and react to the availability of new security updates based on a risk-benefit assessment.

Supporting Text

This is necessary in order to protect the integrity of the archival objects from unauthorized changes or deletions.

Examples for Meeting the Requirement

Risk register (list of all patches available and risk documentation analysis); evidence of update processes (e.g., server update manager daemon); documentation related to the update installations.

Discussion

Decisions to apply security updates are likely to be the outcome of a risk-benefit assessment; security patches are frequently responsible for upsetting alternative aspects of system functionality or performance. It may not be necessary for a repository to implement all software patches, and the application of any must be carefully considered. Each security update implemented by the repository must be documented with details about how it is completed; both automated and manual updates are acceptable. Significant security updates might pertain to software other than core operating systems, such as database applications and Web servers, and these should also be documented. Security updates are not limited to software security updates. Updates to actual hardware or to the hardware system’s firmware are included. Over time it is likely that security updates will also be needed for the repository processes and for its physical security. Although security updates can be considered as a part of the change control, they are identified separately here because there are often outside services that compile and circulate information on security issues and updates. At a minimum, repositories should be monitoring these services to ensure that repository-held data is not subject to compromise by identified threats.

Evidence Provided

APTrust adheres to procedures pertaining software updates that can be found here: Support and Maintenance#Software updates

See the page on Risk Management, Threats, and Mitigations for information on the identifying, preventing, and mitigating risks.

Third-party libraries that are used in our code are checked for updates on a continuous basis by using Codeclimate and Go Report Card. The technical team is notified by email about outdated libraries and acts accordingly.