System Update Policy

Last modified 10/10/2019

Document Maintenance Log

Objectives

The objective of this document is to define a standard operating procedure for keeping potentially vulnerable systems up to date and functioning optimally. This applies to all Intterra SaaS infrastructure including non-production environments and workstations used to connect. This is a DevOps function, which is a subgroup of the Engineering department.

Controls

In general systems should be scanned every 30 days by the assigned DevOps engineer during the last week of the month. 

Security patches should be applied for severe and moderate vulnerabilities. Where possible, these patches should be evaluated in non-production environments before being applied to production environments. Steps should be taken to get notified of vulnerabilities that affect confidentiality, integrity, or availability in technologies that we use. Periodic scanning of systems should occur during the last week of the month and reminders created in a collaboration tool, such as the engineering shared calendar. At the end of an update, an email notification should be sent to the technical team giving an overview of the systems updated and the nature of the updates.

Systems & Technologies

• Elastic beanstalk
  

• Enable auto-patch during the maintenance window
  

• RDS postgres
  

• Auto-apply patches during the maintenance window
  

• EC2 (Windows)
  

• Apply windows updates every 30 days
  

• EC2 Ubuntu
  

• Enable automatic updates and reboot (to apply) every 30 days
  

• EC2 Centos
  

• Run yum updates every 30 days
  

• Jenkins
  

• Update plugins to latest every 30 days
  

• ArcGIS
  

• Apply patches as prudent
  

• Node JS Modules (all repos)
  

• Use built-in yarn tooling such as audit, outdated, and upgrade to address all severe and moderate issues in dependencies, review issues in devDependencies. Should occur every 30 days.
  

• [Future] Automate as recurring (Jenkins?) task
  

• Nuget (C#) Modules
  

• Use approved 3rd party tooling DevAudit (https://github.com/OSSIndex/DevAudit/releases) to scan C# projects
  

• Python Modules
  

• Use 3rd party tooling such as Safety (https://pyup.io/safety/) to scan projects every 30 days.
  

• AWS Infrastructure
  

• AWS Trusted Advisor
  

• AWS Well Architected tool.
  

• Workstations
  

• Keep workstations updated with automatic updates