152075. Procedures for Patch Application

  1. Upon receipt of notification of a Patch, the Technical Support Services Manager or designee and Senior Technical Analyst must determine the level of impact on the CA Network. There are 3 Impact Levels it can fall under; No Impact, Minor Impact, Critical Impact.
    1. No Impact means our systems are not vulnerable or fit the scope of the patch (i.e. we do not use that software or function) and it cannot be exploited on our network.
    2. Minor Impact means we may fit the scope but the patch does not fix vulnerability, or the fix is for non-critical functionality improvements (i.e. enhancements to software).
    3. Critical Impact means we fit the scope of the patch and not applying it could result in a negative impact on our network and systems resulting in loss of productivity.
  2. Upon determination of impact level, the Technical Support Services Manager or designee and Senior Technical Analyst will take the following actions. All actions must be entered into the Patch Tracking Log.
    1. No Impact. If the patch falls in this category, make notation in Patch Tracking Log and communicate info to CA Patch Notification Distribution List.
    2. Minor Impact. If the patch falls in this category, communicate that info to the CA Patch Notification Distribution List and add it to the regular Maintenance Rollup Package.
    3. Critical Impact. If the patch falls in this category, the Senior Technical Analyst or designee will communicate that info to the CA Patch Notification Distribution List and invoke the Expedited Patch Application Plan (EPAP).