Patch management is an issue that will always plague your organization's network. There will always be patches, updates, and security fixes to apply. Unfortunately, there will not always be unlimited time to evaluate and distribute fixes to close a security hole that attackers are currently exploiting.
Given the current state of security, patch management can easily become overwhelming. That's why it's a good idea to establish a patch management policy to define the necessary procedures and responsibilities.
Usually, I would discuss the components of a patch management policy and go over what such a policy needs to address, but this time I want to do something different. Rather than talking about which potential issues a policy should cover, let's look at a sample policy you can adapt to fit your organization's needs.
Sample patch management policy
Here's a sample patch management policy for a company we'll
call XYZ Networks. If you don't have
such a policy in your organization, you can use the following as a starting
point.
Goal
It is the chief information officer's (CIO's) responsibility
to provide a secure network environment for XYZ
Networks' automated applications, staff, business partners, and
contractors. As part of this goal, it is XYZ
Networks' policy to ensure all computer devices (including servers,
desktops, printers, etc.) connected to XYZ
Networks' network have proper virus protection software, current virus
definition libraries, and the most recent operating system and security patches
installed.
NetOps Responsibility
The Network Operations (NetOps) division is responsible for
the overall patch management implementation, operations, and procedures. While
safeguarding the network is every user's job, NetOps is the division that ensures
all known and reasonable defenses are in place to reduce network
vulnerabilities while keeping the network operating. This responsibility
includes the tasks detailed below.
Sign up today!
Monitoring
NetOps will monitor security mailing lists, review vendor
notifications and Web sites, and research specific public Web sites for the
release of new patches. Monitoring will include, but not be limited to, the
following:
- Scanning XYZ Networks' network to identify known vulnerabilities.
- Identifying and communicating identified vulnerabilities and/or security breaches to XYZ Networks'chief information security officer (CISO) and CIO.
- Monitoring CERT, notifications, and Web sites of all vendors that have hardware or software operating on XYZ Networks' network.
Review and evaluation
Once alerted to a new patch, NetOps will download and review
the new patch within four hours of its release. NetOps will categorize the
criticality of the patch according to the following:
- Emergency--an imminent threat to XYZ Networks' network
- Critical--targets a security vulnerability
- Not Critical--a standard patch release update
- Not applicable to XYZ Networks' environment
Regardless of platform or criticality, all patch releases will follow a defined process for patch deployment that includes assessing the risk, testing, scheduling, installing, and verifying.
Play video
There are currently no comments for this post.