COI Report – Part VII Page 386 of 425 1126. CII operators that need to maintain a high security posture cannot afford to ignore the dormant security vulnerabilities that lie waiting to be exploited in outdated software. 1127. No timeline can be fixed as to how quickly an upgrade should be installed, after it is released, as there are considerations such as availability of budget, size of the installed base that needs to be upgraded, and the length of downtime or disruption to operations. However, any enterprise-wide security plan that ignores planned upgrades to software is incomplete. Routine and regular software upgrades are an essential element in every security and risk mitigation plan, and a well thought-out upgrade strategy is a critical component of overall IT security. Upgrading software to make one’s network more secure is not just a defensive strategy – it is a proactive one that protects one’s business and provides necessary stability to one’s network. 47.2 An appropriate governance structure must be put in place to ensure that the software upgrade policy is adhered to 1128. It bears repeating that the software upgrade policy, like all other written policies, cannot simply be treated as a theoretical exercise. It must be implemented and diligently enforced. As such, IHiS and Cluster management must put in place an appropriate governance structure to a) Ensure that the software upgrade policy is adhered to b) Ensure that security considerations are given due weight in decisions regarding software upgrades and c) Ensure that any decision to forgo and upgrade or deviate from the upgrade policy is properly considered and documented. 1129. At present, it does not appear that any such structure is in place. For example, a security deviation form approved by Benedict for the postponement of certain software upgrades does not appear to have been escalated to anyone
