Workstations patched within SLA
Demonstrate that security patches are consistently deployed to workstations within established SLA timelines and that deviations are documented, justified, and remediated appropriately.
Description
What this control does
This control ensures that workstation operating systems and applications are updated with security patches within a defined service level agreement (SLA) timeframe, typically measured from the date a patch is released by the vendor or assessed as applicable to the environment. Patch deployment is typically managed through centralized patch management systems that automate discovery, testing, deployment, and verification of updates across the workstation fleet. The control reduces the window of exposure to known vulnerabilities that adversaries actively exploit, particularly zero-day and high-severity vulnerabilities disclosed publicly.
Control objective
What auditing this proves
Demonstrate that security patches are consistently deployed to workstations within established SLA timelines and that deviations are documented, justified, and remediated appropriately.
Associated risks
Risks this control addresses
- Exploitation of publicly disclosed vulnerabilities for which patches are available but not deployed, enabling remote code execution or privilege escalation
- Malware propagation across unpatched workstations through network-based worm activity leveraging known operating system vulnerabilities
- Data exfiltration via exploitation of unpatched browser or productivity application vulnerabilities through drive-by downloads or malicious documents
- Ransomware infection leveraging unpatched SMB, RDP, or other protocol vulnerabilities to encrypt workstation data and spread laterally
- Credential theft through exploitation of authentication bypass vulnerabilities in outdated workstation software
- Compliance violations and audit findings due to failure to meet regulatory or contractual patch management requirements
- Loss of stakeholder trust and reputational damage following breach incidents attributable to unpatched workstation vulnerabilities
Testing procedure
How an auditor verifies this control
- Obtain the organization's patch management policy or procedure and identify the defined SLA timelines for critical, high, medium, and low severity patches on workstations.
- Request access to the patch management system console (e.g., WSUS, SCCM, Intune, Jamf, or third-party tools) and export the current patch compliance status report for all managed workstations.
- Select a representative sample of at least 20-30 workstations spanning different departments, operating systems, and patch management zones for detailed testing.
- For each sampled workstation, query the patch management system to retrieve the patch installation history including patch release date, detection date, deployment date, and installation confirmation date.
- Identify any patches that exceeded the defined SLA thresholds and obtain exception requests, risk acceptance documentation, or compensating control evidence for those instances.
- Review change management records or patch deployment logs from the past three months to verify that emergency or out-of-band patches were deployed within critical SLA windows.
- Validate that the patch management system is configured to automatically scan workstations at defined intervals and that all sampled workstations have reported scan results within the expected timeframe.
- Interview IT operations or endpoint management staff to confirm processes for handling patch failures, rollback procedures, and escalation protocols when SLA breaches occur.
Where this control is tested