Build a patch-management policy
Michael Mullins
Published: 29 Aug 2006 17:20 BST
Patch management is an issue that will always plague your organisation's network. There will always be patches, updates and security fixes to apply. Unfortunately, there will not always be unlimited time to evaluate and distribute fixes to close a security hole that attackers are currently exploiting.
Given the current state of security, patch management can easily become overwhelming. That's why it's a good idea to establish a patch-management policy to define the necessary procedures and responsibilities.
Usually, I would discuss the components of a patch-management policy and go over what such a policy needs to address, but this time I want to do something different. Rather than talking about which potential issues a policy should cover, let's look at a sample policy you can adapt to fit your organisation's needs.
Here's a sample patch-management policy for a company we'll call XYZ Networks. If you don't have such a policy in your organisation, you can use the following as a starting point.
Goal
It is the chief information officer's responsibility to provide a secure network environment for XYZ Networks' automated applications, staff, business partners and contractors. As part of this goal, it is XYZ Networks' policy to ensure all computer devices (including servers, desktops, printers and so on) connected to XYZ Networks' network have proper virus-protection software, current virus-definition libraries, and the most recent operating system and security patches installed.
NetOps responsibility
The Network Operations (NetOps) division is responsible for the overall patch-management implementation, operations and procedures. While safeguarding the network is every user's job, NetOps is the division that ensures all known and reasonable defences are in place to reduce network vulnerabilities while keeping the network operating. This responsibility includes the following tasks.
Monitoring
NetOps will monitor security mailing lists, review vendor notifications and Web sites, and research specific public Web sites for the release of new patches. Monitoring will include, but not be limited to, the following:
- Scanning XYZ Networks' network to identify known vulnerabilities.
- Identifying and communicating identified vulnerabilities and/or security breaches to XYZ Networks' chief information security officer and chief information officer
- Monitoring CERT, notifications and Web sites of all vendors that have hardware or software operating on XYZ Networks' network
Review and evaluation
Once alerted to a new patch, NetOps will download and review the new patch within four hours of its release. NetOps will categorise the criticality of the patch according to the following:
- Emergency — an imminent threat to XYZ Networks' network
- Critical — targets a security vulnerability
- Not Critical — a standard patch release update
- Not applicable to XYZ Networks' environment
Regardless of platform or criticality, all patch releases will follow a defined process for patch deployment…
Previous
Did you find this article useful?
144 out of 307 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
