scope:

This standard applies to all Information Technology and data owned by TfL or operated and supported by third parties for or on behalf of TfL. This includes:

a) User devices, including 'thick' and 'thin' desktop computers, portable devices such as laptops and mobile devices such as tablet computers and smartphones

b) Servers (physical and virtual), including file servers, application servers, web servers, database servers and any servers that manage network connections.

c) Network infrastructure and security components, including devices managing connections (switches, routers), devices for protecting the networks and systems (IDS/IPS) or devices managing network connections (firewalls, load balancers).

This standard acts as a subset of one of three documents which sits under Risk Management. The documents are the Cyber security testing standard, Cyber security vulnerability management standard and Security patching standard.

Purpose

The purpose of this standard is to detail the requirements for applying securityrelated updates ('security patches') in order to help secure TfL systems and applications in line with the Secure builds and configurations policy and the Cyber security vulnerability management standard.