This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

This policy describes the formal procedures for managing vulnerabilities and patches within Cenareo.

It ensures the timely identification, prioritization, and deployment of security patches for all applications and systems that process data.

This policy is reviewed and updated periodically to reflect technological changes, industry best practices, and regulatory requirements.

Responsibilities

  • Information Security Team : Responsible for managing vulnerability analysis, risk assessment process, reporting, and overall program effectiveness.
  • IT Operations Team : Responsible for deploying patches according to the established schedule, testing critical and high-severity patches (if required), and communicating with system owners.
  • System owners : They are responsible for ensuring that patches are applied to their respective systems in a timely manner and for collaborating with the IT operations team during emergency patch deployments.

Vulnerability Management

Vulnerability analysis

We regularly carry out vulnerability analyses of our information systems processing customer data, both internally and externally. This includes a combination of automated vulnerability analysis tools and manual penetration testing.

Frequency

  • Network Level Vulnerability Analysis : We conduct network vulnerability scans at least once a quarter and additional scans are performed if critical vulnerabilities are identified or if significant changes are made to the network infrastructure.
  • Analysis of vulnerability at the operating system level : Operating system vulnerability scans are performed at least once a month.
  • Analysis of vulnerability at the application level : Application vulnerability analyses are carried out regularly, the frequency depending on the criticality of the application and the frequency of updates or changes. High-risk applications can be analyzed weekly or even more frequently.

Penetration test

We conduct internal and external penetration tests of the infrastructure of our services serving customer data.

Internal penetration test

Red team exercises are simulated attacks carried out by a specialized security team in order to identify vulnerabilities in our systems and processes. These exercises are done at least once a year.

External network penetration test

We use independent security companies to conduct external penetration tests of our service infrastructure at least once a year.

Additional information

The specific frequency of vulnerability scans and penetration tests can be adjusted based on risk assessments and industry best practices. We prioritize fixing vulnerabilities based on their severity, exploitability, and potential impact on our systems and data. We maintain a vulnerability management program to track identified vulnerabilities, the status of corrective actions, and retest efforts.

Patch Management

Patch management procedures

Inventory and classification

We maintain a complete inventory of all software applications and operating systems used within the company. Each application and system will be classified according to its criticality and the type of data it processes.

Vulnerability Management

We use a vulnerability analysis tool to identify known security flaws in our software and systems. We will regularly update the vulnerability analysis tool with the latest vulnerability information.

Risk assessment process

Identified vulnerabilities will be subject to a risk assessment based on their severity (critical, high, medium, low), their usability and their potential impact on our systems and data.

Patch deployment schedule

  • Critical vulnerabilities : Patches for critical vulnerabilities will be deployed within 24 hours of confirmation.
  • High severity vulnerabilities : Patches for high severity vulnerabilities will be deployed within 72 hours of confirmation.
  • Medium and low severity vulnerabilities : Patches for medium and low severity vulnerabilities will be processed on a risk-based schedule, with priority given to vulnerabilities affecting critical systems or those with a high level of exploitability.

Tests and Approval

Before being deployed to production systems, critical and high-severity patches may be subject to limited internal testing to ensure minimal disruption to operations.

Deployment and verification

The patches will be deployed on all affected systems according to the established schedule.

The successful deployment and application of the patches will be verified.

Emergency patch implementation process

In the event of a “zero-day” attack or critical vulnerability with a high level of exploitability, a process of deploying emergency patches will be launched.

This process will include:

  • Rapid risk assessment : The information security team carries out a rapid assessment of vulnerability risks.
  • Acquiring and testing emergency patches : IT operations will prioritize obtaining and, if necessary, conducting limited testing of the emergency patch.
  • Deployment authorization : The information security team, in consultation with relevant stakeholders, will authorize the deployment of the emergency patch.
  • Deployment and communication : The IT operations team will deploy the emergency patch to the affected systems. All relevant personnel will be notified of the deployment of the emergency patch and of any potential impacts.

Reporting and Follow-up

The information security team maintains a record of all identified vulnerabilities, risk assessments, patch deployments, and emergency response procedures.

Regular reports will be produced to monitor the effectiveness of the patch management program and identify areas for improvement.

Server security standard

This section describes the standards for strengthening server security for all servers in the Cenareo organization.

These standards are designed to minimize the attack surface and reduce the risk of unauthorized access, data breaches, and system interruption.

This standard specifically highlights the importance of patch management as a critical aspect of server security.

Server Hardening Principles

Minimize installed software

Only install software applications and services that are necessary for the server to function. Remove unused or superfluous software components to reduce the potential attack surface.

Keep software up to date

Apply security patches as soon as they are released by the vendor. Prioritize patching for critical vulnerabilities. Use a centralized patch management solution to automate and streamline the patching process where possible.

Secure default accounts

Disable unused default accounts provided by the operating system or software applications. Rename or deactivate administrator accounts with generic names such as “admin” or “root.”

Strengthen passwords

Implement strong password policies that require complex passwords with a minimum length and require regular password changes. Consider multi-factor authentication (MFA) for increased security.

Restrict administrative access

Limit administrative access to servers by applying the principle of least privilege. Give users only the minimum permissions they need to perform the tasks they are given.

Configure firewalls

Configure firewalls to limit incoming and outgoing traffic to only authorized ports and protocols.

Disable superfluous services

Disable all services that are not essential to the functioning of the server. This reduces the attack surface and potential vulnerabilities.

Audit and log logs

Enable system logging and review the logs regularly for suspicious activity.

Regular safety assessments

Conduct periodic server security assessments to identify and correct potential security weaknesses.

Patch management procedures

Centralized patch management

Where possible, use a centralized patch management solution to automate patch deployment across servers. This ensures that patches are applied efficiently and consistently across the environment.

Vulnerability assessment and priority setting

Regularly scan for server vulnerabilities using vulnerability analysis tools. Prioritize the correction of critical vulnerabilities based on their severity and potential risk.

Tests

Before deploying patches to production servers, extensive testing should be done in a test environment to minimize the risk of introducing compatibility issues or system disruptions.

Patch deployment schedule

Establish a regular patch deployment schedule Consider deploying critical security patches immediately, while balancing scheduled maintenance windows for less critical updates.

Post-patch check

Verify the deployment and functionality of the patches after they are installed. Monitor systems for unexpected behavior or issues.

Documentation

Maintain detailed documentation of all installed software, patch versions, and deployment dates for each server.

Additional Considerations

  • Third-party applications: Third-party applications installed on the servers are kept up to date with security patches from their respective providers.
  • End of life software (EOL): No outdated software that no longer receives security updates from the vendor, with anticipated plans to migrate EOL software to supported versions or alternative solutions.
  • Physical security: Access control server hardware and the prevention of unauthorized access.

Besoin de nous joindre ?

Contactez nos équipes pour toute question sur ce sujet.

Contactez nous
Cenareo

Vulnerability & Patch Management Policy

Text Link
Engage your audiences,
become a media.
AUDIENCES
CustomersEmployeesFlowsMarket
SOLUTIONS
Digital signageVideo
Business
CastingAboutContact us
resources
BlogInsightsCustomer storiesVideos
© CENAREO 2025, All rights reserved.
Help centerSupportLegalRGPDCybersecuritySite map
en