digiBandit/digiDocs
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
digiDocs/Policies/Patch_Management.md
Joey King 736605fa0b
All checks were successful
Regenerate Documentation Index / regenerate-index (push) Successful in 11s
Details
Rewrite patch management policy: ring deployment, CCCS alignment, SLA timelines
2026-03-29 21:04:53 +00:00

5.5 KiB
Raw Permalink Blame History

title description category tags permalink
Patch Management How digiBandit keeps your systems secure and up-to-date through ring-based automated patching aligned with Canadian cybersecurity standards. policies
patch
policies
security
compliance
go.dbits.ca/dd/patch-management

Patch Management

Keeping software up-to-date is one of the most effective ways to prevent security breaches. digiBandit manages patching for all devices under our managed services using a structured, multi-stage deployment process that balances security urgency with operational stability.

What We Patch

  • Operating Systems - Windows updates, macOS updates, and Linux packages
  • Third-Party Software - Browsers, productivity tools, runtimes, and common business applications
  • Firmware - Network equipment firmware updates during maintenance windows

How It Works

Ring-Based Deployment

Rather than pushing patches to all devices at once, we use a staged rollout approach used by enterprise organizations worldwide. Patches move through four deployment rings, with each ring validating the update before it reaches more devices:

Ring Purpose Timing Who
Ring 0 - Test Validate patches install cleanly Patch Tuesday + 0 days digiBandit internal devices
Ring 1 - Pilot Detect application incompatibilities Patch Tuesday + 3 days Small group of opt-in client devices
Ring 2 - Standard Main deployment wave Patch Tuesday + 7 days (Wednesday) All managed workstations
Ring 3 - Servers Final ring after full validation Patch Tuesday + 14 days Servers and critical systems

This means your workstations receive patches one week after Microsoft releases them, giving us time to catch any issues on our own systems and pilot devices first. Servers receive patches two weeks after release with the most testing completed.

All patch installations occur during off-hours (early morning) with automatic reboots when required, minimizing disruption to your workday.

Severity-Based Timelines

Not all patches are equal. We prioritize based on severity following Canadian Centre for Cyber Security (CCCS) guidelines:

Severity Timeline Our Response
Critical (CVSS 9.0+) 48 hours Emergency deployment, bypass standard rings
High (CVSS 7.0-8.9) 14 days Accelerated ring progression
Medium (CVSS 4.0-6.9) 30 days Standard ring cycle
Low (CVSS 0.1-3.9) 90 days Standard ring cycle

Critical security patches that address actively exploited vulnerabilities are deployed within 48 hours regardless of the ring schedule.

Manual Patching

Some updates require manual intervention:

  • Line-of-business software that requires testing before deployment
  • Major OS upgrades that may affect workflows
  • Custom applications with vendor-specific update procedures

For these, submit a ticket with the software details and we'll coordinate an update window.

Monitoring and Reporting

Every managed device is continuously monitored for patch compliance. Our automated systems track:

  • Whether each device is fully patched
  • How quickly patches are applied after release
  • Any devices that fail to install updates
  • Devices requiring reboots to complete updates

You can view your devices' patch status in the client portal under each asset's Device Management section.

Monthly Compliance Reports

Each month, we generate a detailed Patch Compliance Report for your organization that includes:

  • Overall compliance grade (A through F)
  • Per-device patch status
  • Patches applied during the period
  • Any exceptions or offline devices
  • Compliance alignment with industry standards

These reports are available in your ITFlow documents and are useful for:

  • Quarterly business reviews
  • Cyber insurance renewal evidence
  • CyberSecure Canada certification documentation
  • Internal audit requirements

Compliance Alignment

Our patch management process is designed to meet or exceed the requirements of:

  • CCCS (Canadian Centre for Cyber Security) - Patching timelines align with CCCS recommended remediation windows
  • CyberSecure Canada (CAN/CIOSC 104:2021) - Automated patching satisfies the "Install updates on time" baseline control
  • CIS Controls v8.1 - Control 7 (Continuous Vulnerability Management) addressed through automated scanning and remediation
  • Cyber Insurance - Monthly compliance reports provide evidence of active patch management for insurance applications and renewals

Exception Handling

If a specific patch causes issues with your business applications, we can:

  1. Defer the patch for a defined period while investigating
  2. Document the exception with a risk assessment
  3. Apply compensating controls if needed
  4. Re-test and deploy when the issue is resolved

All exceptions are tracked and documented in your compliance reports.

Privilege Access Management

If you need to install or update software that requires administrator permissions, our privilege access management system lets you request elevation without needing full admin credentials. See Privilege Access Management for details.

What's Included

Patch management is included in Standard and Fully Managed device management tiers at no additional cost. See Device Management for tier details.

Questions?