Enterprises face tight timelines for critical patch and update management to remain within the Cyber Essentials Framework. APPtechnology’s service covers the applications that are not reached by turning on vendors' auto-update functionality or automated patch tooling.
You decide on what actions you want undertaken on a per application basis.
When you onboard an application to our service, we agree the actions to be taken based on patch release, criticality, minor or major versions. For instance you will want critical patches packaged for deployment but may decide to skip functional patching. You could have minor versions packaged on release, but require business confirmation on major version packaging.
Alternatively, you could cut the cost of minor version packaging and only rebase-line your application following a critical support update so that your baseline application doesn’t have any critical flaws.
The choice is yours to decide on a policy that we will work to and you decide where business input is required.
The Cyber Essentials Plus control theme states software must be:
…patched within 14 days of an update being released, where the patch fixes a vulnerability with a severity the product vendor describes as 'critical' or 'high risk'. Some vendors release patches for multiple issues with differing severity levels as a single update. If such an update covers any 'critical' or 'high risk' issues, then it must be installed within 14 days.
APPtechnology will assess and packaged based on agreed policy or inform and confirm with the business before proceeding. You remain in charge and compliant.
The Cyber Essentials Plus control theme states Software should be removed from devices when no longer supported, as product vendors do not generally release patches for products they no longer support.
Your organisation cannot predict which Vendors will drop product support or even cease to trade, but when they do you can be faced with a dilemma covering unsupported business critical applications that are integrated to other essential business processes.
APPtechnology have a host of Legacy application management solutions to enable the secure and protected continued use of unsupported software where a business exception is required.
Isolation and containerisation techniques ensure that any unsupported applications or server / client systems can withstand all the penetration test requirements to meet your CE+ requirements