Axalta Coating Systems

Axalta Patch Management Policy

1.0 Overview End User Computing Services (EUCS) is responsible for ensuring the confidentiality, integrity, and availability of its data and that of customer data stored on its systems. EUCS has an obligation to provide appropriate protection against malware threats, such as viruses, Tro ans, and worms which could adversely affect the security of the system or its data entrusted on the system. Effective implementation of this policy will limit the e!posure and effect of common malware threats to the systems within this scope. 2.0 Purpose This document describes the EUCS"System Center Configuration #anager (SCC#) re$uirements for maintaining up%to%date operating system security patches on all &!alta Coating Systems owned and managed wor'stations. 3.0 Scope This policy applies to wor'stations owned or managed by EUCS. This includes systems that contain company or customer data owned or managed by &!alta Coating Systems regardless of location. The following systems have been identified for management( )or'stations (des'tops and laptops) managed by the Service *es'. Servers managed the Server Team.

4.0 Policy )or'stations owned by &!alta Coating Systems must have up%to%date (as defined by EUCS minimum baseline standards) operating system security patches installed to protect the asset from 'nown vulnerabilities. This includes all laptops and des'tops owned and managed by &!alta Coating Systems. 4.1 or!stations *es'tops and laptops must have an up to date SCC# client installed on the system for operating system patches. This is the default configuration for all wor'stations built by EUCS+SCC#. &ny e!ception to the policy must be documented and forwarded to EUCS"SCC#. ".1 Servers ".0 #oles an$ #esponsi%ilities Service &es! will manage the patching needs of all wor'stations on the networ' and in addition is responsible for routinely assessing compliance with the patching policy and will provide guidance to all groups in issues of patch management. Server 'eam will manage the patching needs of all servers on the networ' and in addition is responsible for routinely assessing compliance with the patching policy and will provide guidance to all groups in issues of patch management. 'he (hange Management )oar$ (T,*)

*.0 Monitoring an$ #eporting &ctive patching teams noted in the -oles and -esponsibility section (../) are re$uired to compile and maintain reporting metrics that summari0e the outcome of each patching cycle. System Center

Axalta Coating Systems

Axalta Coating Systems

Configuration #anager shall be used to evaluate the current patching levels of all systems and to assess the current level of ris'. These reports shall be made available to 1nformation Security and 1nternal &udit upon re$uest. System Center Configuration #anager reporting provides default reports for Software Updates in five categories( a. b. c. d. e. Compliance *eployment #anagement *eployment States Scans Troubleshooting

*.1 Microso+t Patch &eployment Process or!stations, EUCS+SCC# will utili0e &utomatic *eployment -ules (&*-2s) for patching wor'stations within the &3&4T&CS.net domain. )hen #icrosoft releases )indows 5perating System patches the second Tuesday of every month, the &*-2s for )indows 6, )indows 7 and )indows 38 run on a set schedule, download the )indows Updates for each operating system and create the deployments automatically. & member of the Service *es' team will verify that synchroni0ation between #icrosoft Updates and the SCC# environment has occurred successfully and the &*-2s have processed correctly. Each operating system has two collections created for )indows Updates and a separate &*- for each collection. (ollections 9. Software Updates (5S :ersion) % Collection populated by $uery of all (5S :ersion) SCC# clients ;. (5S :ersion) Updates 8re%*eployment < *irect #embership SCC# clients Automatic &eployment #ule -A&#. 9. &*- % Software Updates < (5S :ersion) #onthly Updates % 8re%*eployment ;. &*- % Software Updates < (5S :ersion) #onthly Updates 'esting &*- % Software Updates < (5S :ersion) #onthly Updates % 8re%*eployment process runs on the second Tuesday of every month. This process, as described above downloads the current month2s updates and creates the deployments for each operating system. 5nce the deployment is created and the content has been distributed to each *istribution 8oint, the &*- then completes the process by offering all software updates to the pre%deployment collection. The SCC# Client then receives notification that there is a change and starts to process the windows updates. &*- 8re%*eployment se$uence is set to install Software Updates on the second Tuesday of each month as soon as possible with a #aintenance window set for the second )ednesday of each month between =(// &# ad ;(// 8#. &eployment &*- % Software Updates < (5S :ersion) #onthly Updates follow the same se$uence as the pre% deployment &*- but are installed ; wee's after patch Tuesday, after testing has been completed and only during the collection maintenance periods. EUCS+SCC# team has implemented a > tear maintenance window configuration to address the common issue of systems which may not be on%line during a normal maintenance window.

Axalta Coating Systems

Axalta Coating Systems

Maintenance

in$ows &eployment( *ay 4ast ?riday of #onth 4ast Saturday of #onth 4ast Sunday of #onth 4ast ?riday of #onth 4ast Saturday of #onth 4ast Sunday of #onth 4ast ?riday of #onth 4ast Saturday of #onth 4ast Sunday of #onth Times 9;(// &# < @(// &# 9;(// &# < @(// &# 9;(// &# < @(// &# 9;(// &# < @(// &# 9;(// &# < @(// &# 9;(// &# < @(// &# 9;(// &# < @(// &# 9;(// &# < @(// &# 9;(// &# < @(// &#

Collection Software Updates% )indows 38 % 9 Software Updates% )indows 38 % ; Software Updates% )indows 38 % > Software Updates < )indows 6 % 9 Software Updates < )indows 6 < ; Software Updates < )indows 6 % > Software Updates )indows 7 % 9 Software Updates )indows 7 % ; Software Updates )indows 7 % >

Servers EUCS"SCC# will utili0e three methods *.2 (ompliance /oals 1n any networ' of this si0e, it is almost inevitable that a small number of computers will be in a noncompliant state at any given time. 1n most cases, these are computers that are being rebuilt or are otherwise in a state of change when online, rather than computers that have had their antimalware software intentionally disabled. . EUCS+SCC# believes that a compliance rate in e!cess of =.A is an acceptable level of compliance. 1n most cases, attempting to boost this compliance rate the rest of the way to 9//A will li'ely be a costly endeavor, and the end result < 9//A compliance% will be unsustainable for any length of time. 0mergency Patching 1 2rom time to time there will be a need to apply an emergence patch to the systems. These will be handled on a per basis case by the EUCS+SCC# team. hen no patch is availa%le 1 )hen a system has been found vulnerable and there is no current patch from #icrosoft, the system should be disconnected from the networ' until a patch is available or the vulnerability has been removed

3.0 0n+orcement 1mplementation and enforcement of this policy is ultimately the responsibility of all employees at &!alta Coating Systems. 1nformation Security and 1nternal &udit may conduct random assessments to ensure compliance with policy without notice. &ny system found in violation of this policy shall re$uire immediate corrective action. :iolations shall be noted in -E#E*B and the Service *es' shall be dispatched to remediate the issue. -epeated failures to follow policy may lead to disciplinary action. 4.0 0xceptions E!ceptions to the patch management policy re$uire formal documented approval from EUCS+SCC#. &ny or wor'stations that do not comply with policy must have an approved e!ception on file with the &!alta Coating Systems 1T. 3.0 &e+initions 'erm 8atch *eployment

&e+inition & piece of software designed to fi! problems with or update a computer program or its supporting data & System Center Configuration #anager process which enables content on a distribution point for SCC# clients

Axalta Coating Systems

Axalta Coating Systems

Tro an :irus )orm & class of computer threats (malware) that appears to perform a desirable function but in fact performs undisclosed malicious functions & computer program that can copy itself and infect a computer without the permission or 'nowledge of the owner. & self%replicating computer program that uses a networ' to send copies of itself to other nodes. #ay cause harm by consuming bandwidth.

==7* ?*,. *E>* ?7,. /CE@ &9C= @E@C D S&ES 1nstitute ;//C &ll -ights -eserved

Axalta Coating Systems