System Update Policy
Last modified 10/10/2019
Document Maintenance Log
Objectives
The objective of this document is to define a standard operating procedure for keeping potentially vulnerable systems up to date and functioning optimally. This applies to all Intterra SaaS infrastructure including non-production environments and workstations used to connect. This is a DevOps function, which is a subgroup of the Engineering department.
Controls
In general systems should be scanned every 30 days by the assigned DevOps engineer during the last week of the month.
Security patches should be applied for severe and moderate vulnerabilities. Where possible, these patches should be evaluated in non-production environments before being applied to production environments. Steps should be taken to get notified of vulnerabilities that affect confidentiality, integrity, or availability in technologies that we use. Periodic scanning of systems should occur during the last week of the month and reminders created in a collaboration tool, such as the engineering shared calendar. At the end of an update, an email notification should be sent to the technical team giving an overview of the systems updated and the nature of the updates.
Systems & Technologies
Elastic beanstalk
Enable auto-patch during the maintenance window
RDS postgres
Auto-apply patches during the maintenance window
EC2 (Windows)
Apply windows updates every 30 days
EC2 Ubuntu
Enable automatic updates and reboot (to apply) every 30 days
EC2 Centos
Run yum updates every 30 days
Jenkins
Update plugins to latest every 30 days
ArcGIS
Apply patches as prudent
Node JS Modules (all repos)
Use built-in yarn tooling such as audit, outdated, and upgrade to address all severe and moderate issues in dependencies, review issues in devDependencies. Should occur every 30 days.
[Future] Automate as recurring (Jenkins?) task
Nuget (C#) Modules
Use approved 3rd party tooling DevAudit (https://github.com/OSSIndex/DevAudit/releases) to scan C# projects
Python Modules
Use 3rd party tooling such as Safety (https://pyup.io/safety/) to scan projects every 30 days.
AWS Infrastructure
AWS Trusted Advisor
AWS Well Architected tool.
Workstations
Keep workstations updated with automatic updates