Change and Patch Management
This policy governs how Ouva plans, tests, approves, and deploys platform and endpoint changes.
Applies to Ouva-managed components, including:
- Cloud application and API releases
- Browser, OS, driver, and firmware updates on managed deployment devices
- Supporting security and remote-support tooling used in active support contracts
Change Classification
Section titled “Change Classification”- Emergency: Actively exploited or critical security issues requiring expedited remediation
- Standard: Pre-approved, low-risk, routine maintenance updates
- Normal: Planned feature, configuration, or infrastructure changes requiring review and scheduling
Change Workflow
Section titled “Change Workflow”- Define change scope, affected systems, and rollback plan.
- Assess risk and obtain peer approval based on change type.
- Validate in a staging or preview environment that reflects production characteristics.
- Deploy according to planned maintenance windows or emergency process.
- Verify service health and record implementation outcome.
Routine Patch Management
Section titled “Routine Patch Management”- Security and reliability patches are applied on a regular cadence.
- Managed devices are updated during agreed maintenance windows to minimize user disruption.
- Customers are notified in advance for planned activities when contractually required.
- Vulnerability-specific remediation targets and scanning requirements are defined in the Vulnerability Management Policy.
Emergency Patching
Section titled “Emergency Patching”- Critical vulnerabilities or active exploitation trigger accelerated patching outside routine windows.
- Emergency updates are prioritized for internet-facing and high-impact systems first.
- A post-deployment notice summarizes scope, timing, and outcome when customer-facing impact exists.
Rollback and Recovery
Section titled “Rollback and Recovery”- High-impact changes require a tested rollback or restore strategy before deployment.
- If regression is detected, affected services are rolled back or recovered using approved procedures.
- Incidents triggered by change failure are handled through the Incident Response Plan.
Logging, Audit, and Review
Section titled “Logging, Audit, and Review”- Change records include approver, implementation details, timestamps, and outcome.
- Policy effectiveness is reviewed at least annually and after major incidents.
For device patch and maintenance practices, see Uptime, Availability & Monitoring. For software update and network requirements, see Network Guidelines.