{"component": "clause", "props": {"groups": [{"snippet_links": [{"key": "other-systems", "type": "clause", "offset": [30, 43]}, {"key": "county-phi", "type": "definition", "offset": [70, 80]}, {"key": "security-patches", "type": "clause", "offset": [106, 122]}, {"key": "management-process", "type": "clause", "offset": [198, 216]}, {"key": "based-on", "type": "clause", "offset": [257, 265]}, {"key": "risk-assessment", "type": "definition", "offset": [266, 281]}], "size": 82, "snippet": "All workstations, laptops and other systems that process and/or store County PHI or PI must have critical security patches applied, with system reboot if necessary. There must be a documented patch management process which determines installation timeframe based on risk assessment and vendor recommendations. At a maximum, all applicable patches must be installed within 30 days of vendor release.", "samples": [{"hash": "A8Z2DruOfA", "uri": "/contracts/A8Z2DruOfA#patch-management", "label": "Agreement for Special Services", "score": 36.5167694092, "published": true}, {"hash": "g35dmch1iEF", "uri": "/contracts/g35dmch1iEF#patch-management", "label": "Agreement for Special Services", "score": 36.4552307129, "published": true}, {"hash": "hOOj5zXQ3av", "uri": "/contracts/hOOj5zXQ3av#patch-management", "label": "Contract No. 2020243", "score": 36.4019546509, "published": true}], "hash": "e64682a9a6a5b82a553a590472ca9a4c", "id": 1}, {"snippet_links": [{"key": "other-systems", "type": "clause", "offset": [30, 43]}, {"key": "to-contractor", "type": "clause", "offset": [94, 107]}, {"key": "of-county", "type": "clause", "offset": [178, 187]}, {"key": "security-patches", "type": "clause", "offset": [207, 223]}, {"key": "management-process", "type": "clause", "offset": [302, 320]}, {"key": "based-on", "type": "clause", "offset": [364, 372]}, {"key": "risk-assessment", "type": "definition", "offset": [373, 388]}, {"key": "within-thirty", "type": "clause", "offset": [475, 488]}, {"key": "business-days-of", "type": "clause", "offset": [506, 522]}, {"key": "operational-reasons", "type": "definition", "offset": [597, 616]}], "size": 81, "snippet": "All workstations, laptops and other systems that process and/or 20 store PHI COUNTY discloses to CONTRACTOR or CONTRACTOR creates, receives, maintains, or 21 transmits on behalf of COUNTY must have critical security patches applied, with system reboot if 22 necessary. There must be a documented patch management process which determines installation 23 timeframe based on risk assessment and vendor recommendations. At a maximum, all applicable 24 patches must be installed within thirty (30) calendar or business days of vendor release. Applications 25 and systems that cannot be patched due to operational reasons must have compensatory controls 26 implemented to minimize risk, where possible.", "samples": [{"hash": "ciJBLsie1hh", "uri": "/contracts/ciJBLsie1hh#patch-management", "label": "Contract for Provision of Drug Medi Cal Narcotic Replacement Therapy Treatment Services", "score": 33.2196083069, "published": true}, {"hash": "ltM3cgUvhJs", "uri": "/contracts/ltM3cgUvhJs#patch-management", "label": "Contract for Provision of Drug Medi Cal Narcotic Replacement Therapy Treatment Services", "score": 33.0153236389, "published": true}, {"hash": "eGoS71WMwjd", "uri": "/contracts/eGoS71WMwjd#patch-management", "label": "Contract for Provision of Drug Medi Cal Narcotic Replacement Therapy Treatment Services", "score": 32.0153236389, "published": true}], "hash": "1393b7d4eaad7faadd11471d2aa799db", "id": 2}, {"snippet_links": [{"key": "other-systems", "type": "clause", "offset": [30, 43]}, {"key": "to-contractor", "type": "clause", "offset": [91, 104]}, {"key": "of-county", "type": "clause", "offset": [172, 181]}, {"key": "security-patches", "type": "clause", "offset": [201, 217]}, {"key": "management-process", "type": "clause", "offset": [293, 311]}, {"key": "based-on", "type": "clause", "offset": [352, 360]}, {"key": "risk-assessment", "type": "definition", "offset": [361, 376]}, {"key": "operational-reasons", "type": "definition", "offset": [549, 568]}], "size": 50, "snippet": "All workstations, laptops and other systems that process and/or store PHI COUNTY discloses to CONTRACTOR or CONTRACTOR creates, receives, maintains, or transmits on behalf of COUNTY must have critical security patches applied, with system reboot if necessary. There must be a documented patch management process which determines installation timeframe based on risk assessment and vendor recommendations. At a maximum, all applicable patches must be installed within 30 days of vendor release. Applications and systems that cannot be patched due to operational reasons must have compensatory controls implemented to minimize risk, where possible.", "samples": [{"hash": "3EeT6MWN9u8", "uri": "/contracts/3EeT6MWN9u8#patch-management", "label": "Digital Health Solution Services Agreement", "score": 35.3629684448, "published": true}, {"hash": "6h1Y9aHg03o", "uri": "/contracts/6h1Y9aHg03o#patch-management", "label": "Subordinate Contract for Unarmed Security Guard Services", "score": 34.7470588684, "published": true}, {"hash": "aLjNGjnFBJh", "uri": "/contracts/aLjNGjnFBJh#patch-management", "label": "Contract for Behavioral Health System Transformation", "score": 34.6320915222, "published": true}], "hash": "9a810a94b3741255b94d02cb64995584", "id": 5}, {"snippet_links": [{"key": "develop-and-implement", "type": "clause", "offset": [20, 41]}, {"key": "management-strategy", "type": "clause", "offset": [50, 69]}, {"key": "management-controls", "type": "clause", "offset": [91, 110]}, {"key": "management-procedures", "type": "definition", "offset": [121, 142]}, {"key": "reasonable-time", "type": "definition", "offset": [183, 198]}, {"key": "security-patches", "type": "clause", "offset": [242, 258]}, {"key": "determine-whether", "type": "clause", "offset": [263, 280]}, {"key": "timing-of", "type": "clause", "offset": [321, 330]}, {"key": "other-factors", "type": "clause", "offset": [415, 428]}], "size": 18, "snippet": "Computershare shall develop and implement a patch management strategy that is supported by management controls and patch management procedures and operational documentation. Within a reasonable time, Computershare will review newly available security patches and determine whether to implement a particular patch and the timing of any such implementation based upon risks to Computershare or its customers and such other factors as Computershare deems relevant.", "samples": [{"hash": "lIKVElYETr5", "uri": "/contracts/lIKVElYETr5#patch-management", "label": "Transfer Agency and Service Agreement (Blackrock Muniassets Fund, Inc.)", "score": 31.4010944366, "published": true}, {"hash": "bgjcMmHFdE9", "uri": "/contracts/bgjcMmHFdE9#patch-management", "label": "Transfer Agency and Service Agreement", "score": 31.3408622742, "published": true}, {"hash": "cr2xvTNWBtj", "uri": "/contracts/cr2xvTNWBtj#patch-management", "label": "Transfer Agency and Service Agreement (Blackrock Credit Allocation Income Trust)", "score": 31.0013694763, "published": true}], "hash": "9ad1f73459b24fc73976abadfb419ce6", "id": 7}, {"snippet_links": [{"key": "other-systems", "type": "clause", "offset": [33, 46]}, {"key": "security-patches", "type": "clause", "offset": [99, 115]}, {"key": "management-process", "type": "clause", "offset": [195, 213]}, {"key": "based-on", "type": "clause", "offset": [253, 261]}, {"key": "risk-assessment", "type": "definition", "offset": [262, 277]}, {"key": "within-thirty", "type": "clause", "offset": [385, 398]}, {"key": "high-risk", "type": "clause", "offset": [478, 487]}, {"key": "time-frame", "type": "definition", "offset": [588, 598]}, {"key": "operational-reasons", "type": "definition", "offset": [619, 638]}], "size": 54, "snippet": "i. All workstations, laptops and other systems, which process and/or store PII, must have critical security patches applied, with system reboot if necessary.\nii. There must be a documented patch management process that determines installation timeframe based on risk assessment and vendor recommendations.\niii. At a maximum, all applicable patches deemed as critical must be installed within thirty (30) days of vendor release. It is recommended that critical patches which are high risk be installed within seven (7) days.\niv. Applications and systems that cannot be patched within this time frame, due to significant operational reasons, must have compensatory controls implemented to minimize risk.", "samples": [{"hash": "fWksrVFLk8j", "uri": "/contracts/fWksrVFLk8j#patch-management", "label": "Contract for Family Resource Center Services", "score": 36.2044639587, "published": true}, {"hash": "4WFFZrUHaLj", "uri": "/contracts/4WFFZrUHaLj#patch-management", "label": "Contract for the Provision of Bringing Families Home Services", "score": 36.1462593079, "published": true}, {"hash": "lCt47oxUe5k", "uri": "/contracts/lCt47oxUe5k#patch-management", "label": "Contract for the Provision of Bridge Program Child Care Navigator, Trauma Informed Training and Coaching, and Emergency Child Care Voucher Services", "score": 36.1309661865, "published": true}], "hash": "a26ff334cab96dc7e7fb38089002f259", "id": 4}, {"snippet_links": [{"key": "other-systems", "type": "clause", "offset": [30, 43]}, {"key": "security-patches", "type": "clause", "offset": [104, 120]}, {"key": "management-process", "type": "clause", "offset": [196, 214]}, {"key": "based-on", "type": "clause", "offset": [255, 263]}, {"key": "risk-assessment", "type": "definition", "offset": [264, 279]}], "size": 71, "snippet": "All workstations, laptops and other systems that process and/or store DHCS PHI or PI must have critical security patches applied, with system reboot if necessary. There must be a documented patch management process which determines installation timeframe based on risk assessment and vendor recommendations. At a maximum, all applicable patches must be installed within 30 days of vendor release.", "samples": [{"hash": "dXINGLKtoBw", "uri": "/contracts/dXINGLKtoBw#patch-management", "label": "Participation Agreement", "score": 35.6633338928, "published": true}, {"hash": "avifs6Fydd3", "uri": "/contracts/avifs6Fydd3#patch-management", "label": "Participation Agreement", "score": 35.6080169678, "published": true}, {"hash": "fndmu56kGum", "uri": "/contracts/fndmu56kGum#patch-management", "label": "Participation Agreement", "score": 35.2124137878, "published": true}], "hash": "e138ad1ce5ec59517c6959a44c34d14c", "id": 3}, {"snippet_links": [{"key": "other-systems", "type": "clause", "offset": [31, 44]}, {"key": "security-patches", "type": "clause", "offset": [112, 128]}, {"key": "service-providers", "type": "clause", "offset": [152, 169]}, {"key": "management-process", "type": "clause", "offset": [202, 220]}, {"key": "based-on", "type": "clause", "offset": [261, 269]}, {"key": "risk-assessment", "type": "definition", "offset": [270, 285]}], "size": 29, "snippet": "All workstations, laptops, and other systems that access, process and/or store OCHCA data must have appropriate security patches installed. Application Service Providers must utilize a documented patch management process which determines installation timeframe based on risk assessment and vendor recommendations. At a minimum, all applicable patches must be installed within 30 days of vendor release.", "samples": [{"hash": "jZrzENCXaiK", "uri": "/contracts/jZrzENCXaiK#patch-management", "label": "Phlebotomy and Laboratory Testing Services Contract", "score": 35.371181488, "published": true}, {"hash": "3EeT6MWN9u8", "uri": "/contracts/3EeT6MWN9u8#patch-management", "label": "Digital Health Solution Services Agreement", "score": 35.3629684448, "published": true}, {"hash": "igw7ICMDp3u", "uri": "/contracts/igw7ICMDp3u#patch-management", "label": "Software Maintenance and Database Hosting Services Agreement", "score": 35.0591201782, "published": true}], "hash": "e41836217a61597489c46d8f30aa001a", "id": 6}, {"snippet_links": [{"key": "other-systems", "type": "clause", "offset": [30, 43]}], "size": 14, "snippet": "All workstations, laptops and other systems that process and/or", "samples": [{"hash": "kvgENkGYIod", "uri": "/contracts/kvgENkGYIod#patch-management", "label": "Agreement for Provision of Volunteer to Work Project Program Services", "score": 24.2995433807, "published": true}, {"hash": "k34rMKse0wW", "uri": "/contracts/k34rMKse0wW#patch-management", "label": "Agreement for Provision of Transitional Age Youth Full Service Partnership/Wraparound Services", "score": 24.2994823456, "published": true}, {"hash": "80pGXqExey3", "uri": "/contracts/80pGXqExey3#patch-management", "label": "Agreement for Provision of Services", "score": 23.2803821564, "published": true}], "hash": "a4d036eb8b9a317a84b9b00bdb9cd92f", "id": 10}, {"snippet_links": [{"key": "other-systems", "type": "clause", "offset": [30, 43]}, {"key": "operating-system", "type": "clause", "offset": [89, 105]}, {"key": "security-patches", "type": "clause", "offset": [122, 138]}, {"key": "management-process", "type": "clause", "offset": [214, 232]}, {"key": "based-on", "type": "clause", "offset": [273, 281]}, {"key": "risk-assessment", "type": "definition", "offset": [282, 297]}], "size": 18, "snippet": "All workstations, laptops and other systems that process and/or store CDPH PCI must have operating system and application security patches applied, with system reboot if necessary. There must be a documented patch management process which determines installation timeframe based on risk assessment and vendor recommendations. At a maximum, all applicable patches must be installed within 30 days of vendor release.", "samples": [{"hash": "kMD2zpY7R5i", "uri": "/contracts/kMD2zpY7R5i#patch-management", "label": "Grant Agreement", "score": 33.7150726318, "published": true}, {"hash": "jhVoY8F33JH", "uri": "/contracts/jhVoY8F33JH#patch-management", "label": "Grant Agreement", "score": 32.8747024536, "published": true}, {"hash": "59Tva0qtxf4", "uri": "/contracts/59Tva0qtxf4#patch-management", "label": "Grant Agreement", "score": 31.3034515381, "published": true}], "hash": "303d0e38527e3275f80a00ad6567b61b", "id": 8}, {"snippet_links": [{"key": "operating-systems", "type": "clause", "offset": [55, 72]}, {"key": "the-services", "type": "definition", "offset": [132, 144]}, {"key": "the-manufacturer", "type": "definition", "offset": [178, 194]}, {"key": "in-a-timely-manner", "type": "definition", "offset": [306, 324]}, {"key": "consistent-with-the", "type": "clause", "offset": [325, 344]}], "size": 17, "snippet": "UKG shall review all patches, updates, and upgrades of operating systems, middleware, or applications to all relevant components of the Services after they have been released by the manufacturer and tested by UKG. UKG shall manage the patching process prudently to assure that critical patches are applied in a timely manner consistent with the associated risk.", "samples": [{"hash": "aURYhFWpKW4", "uri": "/contracts/aURYhFWpKW4#patch-management", "label": "Data Processing Addendum", "score": 35.4831619263, "published": true}, {"hash": "7CmxGu4bafj", "uri": "/contracts/7CmxGu4bafj#patch-management", "label": "Data Processing Addendum", "score": 35.4806747437, "published": true}, {"hash": "8dhWxn2BnPa", "uri": "/contracts/8dhWxn2BnPa#patch-management", "label": "Data Processing Addendum", "score": 35.2261009216, "published": true}], "hash": "5ddfa637077630996b1c00e429326b4a", "id": 9}], "next_curs": "ClkSU2oVc35sYXdpbnNpZGVyY29udHJhY3RzcjULEhZDbGF1c2VTbmlwcGV0R3JvdXBfdjU2IhlwYXRjaC1tYW5hZ2VtZW50IzAwMDAwMDBhDKIBAmVuGAAgAA==", "clause": {"title": "Patch Management", "size": 646, "parents": [["technical-security-controls", "Technical Security Controls"], ["business-associate-data-security-requirements", "Business Associate Data Security Requirements"], ["data-security-requirements", "Data Security Requirements"], ["business-associate-contract", "Business Associate Contract"], ["general-security-controls", "General Security Controls"]], "children": [["", ""], ["communicated-schedule", "Communicated schedule"], ["basic-patch-management", "Basic Patch Management"], ["advanced-patch-management", "Advanced Patch Management"], ["warning-banners", "Warning Banners"]], "id": "patch-management", "related": [["security-management", "Security Management", "Security Management"], ["traffic-management", "Traffic Management", "Traffic Management"], ["virus-management", "Virus Management", "Virus Management"], ["site-management", "SITE MANAGEMENT", "SITE MANAGEMENT"], ["network-management", "Network Management", "Network Management"]], "related_snippets": [], "updated": "2026-01-30T05:31:38+00:00", "also_ask": ["What minimum patching timelines should be mandated to balance security and operational feasibility?", "How can liability be allocated if a breach occurs due to delayed or failed patching?", "What audit or reporting mechanisms should be required to ensure compliance with patch management obligations?", "How does this clause compare to industry-standard patch management requirements (e.g., NIST, ISO)?", "What are the enforceability challenges if a party claims a patch was unavailable or impractical to implement?"], "drafting_tip": "Specify patch application timelines to ensure timely risk mitigation, define responsible parties to clarify accountability, and require documentation of updates to facilitate compliance audits.", "explanation": "The Patch Management clause outlines the requirements and procedures for regularly updating and applying software patches to systems and applications. It typically mandates that the organization monitor for new security updates, assess their relevance, and implement them within a specified timeframe to address vulnerabilities. This clause ensures that systems remain protected against known threats, reducing the risk of security breaches caused by outdated or unpatched software."}, "json": true, "cursor": ""}}