Skip to content

Change and Patch Management

This policy governs how Ouva plans, tests, approves, and deploys platform and endpoint changes.

Applies to Ouva-managed components, including:

  • Cloud application and API releases
  • Browser, OS, driver, and firmware updates on managed deployment devices
  • Supporting security and remote-support tooling used in active support contracts
  • Emergency: Actively exploited or critical security issues requiring expedited remediation
  • Standard: Pre-approved, low-risk, routine maintenance updates
  • Normal: Planned feature, configuration, or infrastructure changes requiring review and scheduling
  1. Define change scope, affected systems, and rollback plan.
  2. Assess risk and obtain peer approval based on change type.
  3. Validate in a staging or preview environment that reflects production characteristics.
  4. Deploy according to planned maintenance windows or emergency process.
  5. Verify service health and record implementation outcome.
  • Security and reliability patches are applied on a regular cadence.
  • Managed devices are updated during agreed maintenance windows to minimize user disruption.
  • Customers are notified in advance for planned activities when contractually required.
  • Vulnerability-specific remediation targets and scanning requirements are defined in the Vulnerability Management Policy.
  • Critical vulnerabilities or active exploitation trigger accelerated patching outside routine windows.
  • Emergency updates are prioritized for internet-facing and high-impact systems first.
  • A post-deployment notice summarizes scope, timing, and outcome when customer-facing impact exists.
  • High-impact changes require a tested rollback or restore strategy before deployment.
  • If regression is detected, affected services are rolled back or recovered using approved procedures.
  • Incidents triggered by change failure are handled through the Incident Response Plan.
  • Change records include approver, implementation details, timestamps, and outcome.
  • Policy effectiveness is reviewed at least annually and after major incidents.

For device patch and maintenance practices, see Uptime, Availability & Monitoring. For software update and network requirements, see Network Guidelines.