Entity periodically reviews that security-relevant patches are installed, including software or firmware updates and the identified end-of-life software must be removed from the environment