We just got dinged by internal audit for not having an anti-virus and patch management policy. Both issues are spoken to in another policy, entitled "Information Privacy and Security," but the auditor has a point. Our A-V and patch management posture isn't very well publicized. I'm working on reviewing all of our IT and Information Security policies--you can't say I don't know how to have a good time--and there is some work to do. I believe policy should be concise with implementation details worked out in separate "procedures" or "standards" documents (our policy structure is not designed like that). That way, we can all agree on a philosophical vision of how IT and InfoSec should function in our organization. Then the nuts & bolts get tweaked by flexible, ever-changing procedures and standards which are reviewed and updated by the people closest to them.
Here is an example of the A-V and patch management policy I am thinking of proposing--in the form of a haiku!
Malware harms data.
Deploy updates. Be timely!
Please get protected.