Acceptable Practices for Server Patch Management

Revised: 27 Nov 2024 by ITSO

A supported operating system must be used for server in which vendor can provide timely security patches on known and published vulnerabilities. ITSO recommends to follow the National Vulnerability Database (NVD) ratings for security risk classification and patch management, applying high severity (score of 7.0-10.0) security patches within 1 week after publish, medium severity (score of 4.0-6.9) and low severity (0.0-3.9) within 4 weeks. On very high severe vulnerability that will cause instantaneous exploitable threat to the system, ITSO would recommend to apply patch or remediation immediately.

As a general practice, a system upgrade shall be scheduled no longer than every 4 weeks to apply all severity levels of patches to a server operation system.


Related Links

  • NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance.