How quickly do you patch internet-facing systems (firewalls, VPNs, web servers, email servers)?
Demonstrate that the organization applies security patches to internet-facing systems within documented timeframes aligned with vulnerability severity and exploitability.
Description
What this control does
This control governs the time elapsed between the publication of a security patch and its deployment to internet-facing systems such as firewalls, VPN concentrators, web servers, and email gateways. Organizations typically define tiered patching Service Level Objectives (SLOs) based on criticality and exploitability, with critical vulnerabilities in internet-facing assets often requiring remediation within 24-72 hours. Rapid patching reduces the window of exposure to known exploits targeting publicly accessible infrastructure, which adversaries actively scan and weaponize within hours of disclosure.
Control objective
What auditing this proves
Demonstrate that the organization applies security patches to internet-facing systems within documented timeframes aligned with vulnerability severity and exploitability.
Associated risks
Risks this control addresses
- Exploitation of known vulnerabilities by automated scanning tools and opportunistic attackers before patches are applied
- Compromise of perimeter security devices (firewalls, VPNs) granting attackers persistent network access or credential harvesting capabilities
- Defacement or data exfiltration through unpatched web server vulnerabilities exploited via public HTTP/HTTPS interfaces
- Email server compromise enabling phishing infrastructure, spam relay operations, or Business Email Compromise (BEC) attacks
- Zero-day exploitation window extended by slow patch deployment after vendor disclosure and proof-of-concept publication
- Regulatory non-compliance and breach notification obligations triggered by exploitation of vulnerabilities with available patches
- Reputational damage and customer trust erosion following public disclosure of preventable breaches via unpatched internet-facing systems
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's patch management policy, focusing on SLOs for internet-facing systems by vulnerability severity (critical, high, medium, low).
- Request an inventory of all internet-facing systems including firewalls, VPN gateways, web servers, email servers, and API endpoints with ownership assignments.
- Select a sample period (e.g., prior 6 months) and obtain vulnerability scan reports, vendor security bulletins, and CVE alerts relevant to internet-facing asset types.
- Trace 10-15 critical and high-severity vulnerabilities from publication date to patch deployment completion, collecting change tickets, approval records, and deployment logs.
- Calculate elapsed time between vendor patch release and production deployment for each sampled vulnerability, comparing results to documented SLOs.
- Interview IT operations and security teams to understand emergency patching procedures, testing protocols, and escalation paths for zero-day vulnerabilities.
- Review compensating controls documentation (e.g., Web Application Firewall rules, network segmentation, IPS signatures) applied during patch testing or when patches are unavailable.
- Verify patch verification processes by examining post-deployment validation evidence such as vulnerability rescans, version confirmations, or automated compliance checks.