Patching

Patching closes known vulnerabilities and is the single highest-leverage operational control, since most breaches exploit flaws that already had a fix. Prioritize by severity and active exploitation: critical/high and KEV-listed CVEs within days, ideally tested in staging first. Patch SLAs, maintenance windows, and documented exceptions (for systems that can’t be patched) keep the program auditable.