--- title: Patch Management description: How digiBandit keeps your systems secure and up-to-date through ring-based automated patching aligned with Canadian cybersecurity standards. category: policies tags: [patch, policies, security, compliance] permalink: go.dbits.ca/dd/patch-management --- # Patch Management Keeping software up-to-date is one of the most effective ways to prevent security breaches. digiBandit manages patching for all devices under our managed services using a structured, multi-stage deployment process that balances security urgency with operational stability. ## What We Patch - **Operating Systems** - Windows updates, macOS updates, and Linux packages - **Third-Party Software** - Browsers, productivity tools, runtimes, and common business applications - **Firmware** - Network equipment firmware updates during maintenance windows ## How It Works ### Ring-Based Deployment Rather than pushing patches to all devices at once, we use a staged rollout approach used by enterprise organizations worldwide. Patches move through four deployment rings, with each ring validating the update before it reaches more devices: | Ring | Purpose | Timing | Who | |------|---------|--------|-----| | Ring 0 - Test | Validate patches install cleanly | Patch Tuesday + 0 days | digiBandit internal devices | | Ring 1 - Pilot | Detect application incompatibilities | Patch Tuesday + 3 days | Small group of opt-in client devices | | Ring 2 - Standard | Main deployment wave | Patch Tuesday + 7 days (Wednesday) | All managed workstations | | Ring 3 - Servers | Final ring after full validation | Patch Tuesday + 14 days | Servers and critical systems | This means your workstations receive patches one week after Microsoft releases them, giving us time to catch any issues on our own systems and pilot devices first. Servers receive patches two weeks after release with the most testing completed. All patch installations occur during off-hours (early morning) with automatic reboots when required, minimizing disruption to your workday. ### Severity-Based Timelines Not all patches are equal. We prioritize based on severity following Canadian Centre for Cyber Security (CCCS) guidelines: | Severity | Timeline | Our Response | |----------|----------|-------------| | Critical (CVSS 9.0+) | 48 hours | Emergency deployment, bypass standard rings | | High (CVSS 7.0-8.9) | 14 days | Accelerated ring progression | | Medium (CVSS 4.0-6.9) | 30 days | Standard ring cycle | | Low (CVSS 0.1-3.9) | 90 days | Standard ring cycle | Critical security patches that address actively exploited vulnerabilities are deployed within 48 hours regardless of the ring schedule. ### Manual Patching Some updates require manual intervention: - **Line-of-business software** that requires testing before deployment - **Major OS upgrades** that may affect workflows - **Custom applications** with vendor-specific update procedures For these, [submit a ticket](https://portal.dbits.ca) with the software details and we'll coordinate an update window. ## Monitoring and Reporting Every managed device is continuously monitored for patch compliance. Our automated systems track: - Whether each device is fully patched - How quickly patches are applied after release - Any devices that fail to install updates - Devices requiring reboots to complete updates You can view your devices' patch status in the [client portal](https://portal.dbits.ca) under each asset's Device Management section. ### Monthly Compliance Reports Each month, we generate a detailed Patch Compliance Report for your organization that includes: - Overall compliance grade (A through F) - Per-device patch status - Patches applied during the period - Any exceptions or offline devices - Compliance alignment with industry standards These reports are available in your ITFlow documents and are useful for: - Quarterly business reviews - Cyber insurance renewal evidence - CyberSecure Canada certification documentation - Internal audit requirements ## Compliance Alignment Our patch management process is designed to meet or exceed the requirements of: - **CCCS (Canadian Centre for Cyber Security)** - Patching timelines align with CCCS recommended remediation windows - **CyberSecure Canada (CAN/CIOSC 104:2021)** - Automated patching satisfies the "Install updates on time" baseline control - **CIS Controls v8.1** - Control 7 (Continuous Vulnerability Management) addressed through automated scanning and remediation - **Cyber Insurance** - Monthly compliance reports provide evidence of active patch management for insurance applications and renewals ## Exception Handling If a specific patch causes issues with your business applications, we can: 1. Defer the patch for a defined period while investigating 2. Document the exception with a risk assessment 3. Apply compensating controls if needed 4. Re-test and deploy when the issue is resolved All exceptions are tracked and documented in your compliance reports. ## Privilege Access Management If you need to install or update software that requires administrator permissions, our privilege access management system lets you request elevation without needing full admin credentials. See [Privilege Access Management](../Security/Privilege_Access_Management_PAM.md) for details. ## What's Included Patch management is included in Standard and Fully Managed device management tiers at no additional cost. See [Device Management](../Services/Device_Management.md) for tier details. ## Questions? - **Phone:** (506) 404-0055 - **Email:** hey@dbits.ca - **Portal:** [portal.dbits.ca](https://portal.dbits.ca)