OPCO – Sociedade Operacional Angola LNG, S.A.

Patch Management PROCESS

24/08/2016

Insert Document Number

Approval and
Document owner recording tracking
<Insert manager job title here> First issue date 14-05-2013
Revision date 14-05-2013
Associated forms / documents Next review date 14-05-2014
<Insert any associated document reference <Insert document version
Version number
numbers here> number>

Approved

<approver>, <title> Date

 OPCO – Sociedade Operacional Angola LNG, S.A.
Patch Management PROCESS

Contents
1.0 Purpose 3
2.0 Context of use 3
3.0 Process Objectives 3
4.0 Process overview 4
5.0 Inputs and Outputs 6
6.0 Interfaces 7
7.0 Process performance management 7
8.0 Related documents 8
9.0 Continual Improvement 8
10.0 Document Control 8
Document Owner and Approval 8
Change History Record 9

Page 2
 OPCO – Sociedade Operacional Angola LNG, S.A.
Patch Management PROCESS

1.0 Purpose
The purpose of patch management Process is to provide guidance to enable personnel to follow
uniform processes related to patching the network devices and applications and hosted on the IT
systems.

2.0 Context of use

This process applies to ALNG IT\IM Teams responsible for:

 Applications:
 Network;
 Server;

3.0 Process Objectives

This process describes the GSS IT/IM patch management with the purpose of providing a
methodology for implementation of patches on systems in ALNG to address vulnerabilities, and
make patch management a vital component of IT security. Without an organized and controlled patch
process, systems may fall out of security compliance, and/or critical control systems may be
interrupted.

Page 3
 OPCO – Sociedade Operacional Angola LNG, S.A.
Patch Management PROCESS

4.0 Process overview

Patch Management Process Flow

Technician Supervisor Change Reviewers Board

Start

Download Patch

Yes Perform Local Patch Tests

Any issue
Any solution? Yes
found?

No

Develop Patch Adress Reason for

Implementation Plan Decline

Yes
No

Submit Patch Approved?

Implementation Plan (1st Level)

Any more
Change Approved? information
Perform CAB Meeting No Required?
Management Submit Change Request Yes ( 2nd Level)
Process

No
Apply Patches/Execute
Yes
Change

Verify/Validate/Save
Changes(Evidences)

END

Page 4
 OPCO – Sociedade Operacional Angola LNG, S.A.
Patch Management PROCESS

Patch Management Process is made of below procedures, identified below:

1. Download Patch(es):

This step will be performed by Technician, he will download patch from Vendor Website.

2. Perform Local Patch Tests:

This step will be performed by Technician, he will perform local tests with patches downloaded
from Vendor Site.

3. Any Issue:

This step will be performed by Technician, he will validate if we’ve any issue on Patches
downloaded, in case of “Yes” then go to Step 4 in case of “No” then go to Step 5(with this step
we guarantee regression Test).

4. Any Solution:
This step will be performed by Technician, he will validate if he’s able to solve the issue related
to Patch Downloaded, in case of “Yes” then go to Step 2 in case of “No” the process END.

5. Develop Patch Implementation Plan:

This step will be performed by Technician, he will develop a patch implementation/execution

plan.

6. Submit Patch Implementation Plan:

This step will be performed by Technician, he will submit patch Implementation Plan.

7. Approved(1st Level):

This step will be performed by Supervisor, he will Approve/Reject submitted Patch

Implementation Plan, in case of Reject re-do step 5(technician), in case of approve proceed with
next step (step 6) .

8. Submit Change Request:

This step will be performed by Technician, he will submit Change Request (based on Change
Management Process).

9. Perform CAB Meeting:

This step will be performed by CAB Members, they will perform CAB Meeting.

Page 5
 OPCO – Sociedade Operacional Angola LNG, S.A.
Patch Management PROCESS

10. Approved(2nd Level):

This step will be performed by CAB Members, they will Approve/Reject submitted Change
Request, in case of Approve go to step 13, in case of reject go to step 11.

11. Any more Information Required:

This step will be performed by CAB Members, they will evaluate if patch implementation plan
need/no need more information, if no need more information the change is Rejected and the
flow end, if need go to step 12.

12. Address Reason for decline:

This step will be performed by CAB Members, they will address the reason for decline.

13. Apply Patches/Execute Change:

This step will be performed by Technician, he will Apply Patches/Execute Change according to
defined and approved execution/Implementation Patch Plan.

14. Verify/validate/Save Changes(Evidences):

This step will be performed by Technician, he will verify, validate, evaluate and save the changes
that was performed.

5.0 Inputs and Outputs

Inputs
Commission Process
Patches downloaded
Tests Performed
Implementation Plan completed
Implementation Plan Received(1st Level for Approval)
Approved Implementation Plan
Implementation Plan Received(2nd Level for Approval)
Performed CAB Meeting
Rejected(2nd Level for Rejection)
Rejected(2nd Level for Rejection) reasons
Approved(2nd Level for Approval)
Patches Applied

Page 6
 OPCO – Sociedade Operacional Angola LNG, S.A.
Patch Management PROCESS

Outputs
Patches downloaded
Tests Performed
Implementation Plan completed
Implementation Plan sent to Supervisor
Approved(1st Level for Approval)
Rejected(1st Level for Rejection)
Submitted Implementation Plan
Performed CAB Meeting
Approved(2nd Level for Approval)
Rejected(2nd Level for Rejection)
Information required to be updated on action plan
Rejected(2nd Level for Rejection) reasons addressed
Patches Applied
Evidences Generated

6.0 Interfaces
Change Management Process

Commission Process

7.0 Process performance management

The effectiveness and efficiency of the process will be regularly monitored and service reports
produced for interested parties where agreed/required.

Process workloads and effectiveness will be monitored and measured as defined below.

Performance aspect Measure / report Frequency

Compliance Number of Approved Patches Semi - Annual
Compliance Number of Patches deployed on Semi - Annual
time(based on action plan)
Compliance Number of patches deployed Semi - Annual
with delay(based on action plan)
Compliance Number of reject patches Semi - Annual
implementation

Page 7
 OPCO – Sociedade Operacional Angola LNG, S.A.
Patch Management PROCESS

8.0 Related documents

Documents associated or linked to this process are listed below:
 Patch Management Process RACI
 Patch Management Procedure
 Patch Management Teams Procedures:
o Server;
o Application;
o Network;
Note: Due to EOL (End of Life) of network assets, ALNG ITIM Team don’t apply patches for those
assets, Network team defined a strategy to replace all those assets in order to start apply patches.
Some applications/software that we’ve deployed on ALNG ITIM Environment doesn’t follow a patch
management cycle described on this process (vendor’s technical specifications), for those we follow
Generic Patch Management Lifecycle.
Related to Microsoft assets, ALNG ITIM follows Microsoft Patch Management Lifecycle recurring to
SCCM as support tool to apply automatically the patches released.

9.0 Continual Improvement

The process will be reviewed every year for effectiveness and assessment to verify meeting the
requirements of this process.

The process owner will have the responsibility to review, maintain and process the documentation.
The continual improvement plan, will guarantee the performance of the following activities:
 Qualification of the process according to the matrix/criteria of CMMI ( Capability Maturity
Model Interface ) of the Carnegie Mellon College
 Identify the improvements to the process to reach the next level of CMMI
 Identify the resources required for the improvements
 Timing to implement and persons/staff required and responsible to carry on the activities

This will allow, an evergreen process, and continuous improvement of this process/procedures

10.0 Document Control

Document Owner and Approval

The [Manager/Executive (generic/line)] is the owner of the process that this document describes.
The process owner is responsible for ensuring that this document is reviewed in line with the review
requirements of the [service management system].

Page 8
 OPCO – Sociedade Operacional Angola LNG, S.A.
Patch Management PROCESS

A current version of this document is available to [all/specified] members of staff on the [corporate
intranet] and is published [ ].

This process document was approved by the [Manager/Executive (generic/line)] on [date] and is
issued on a version controlled basis under his/her signature.

Signature: Date:

Change History Record

Issue Description of Change Approval Date of Issue

1 Initial Document <Manager> Xx/yy/zz

Page 9