Patch Management Policy

I hear a lot of debate these days on patch management – it’s a losing battle, patches break my machines, developers should write better code, etc. While I agree that all these statements are true at some level, patch management is still not an area administrators can ignore.

When I refer to patch management, I am not strictly referring to Windows systems. Organizations need to have formal patch management policies and procedures for all operating systems they use. Patch management policies must be designed to work within your organization’s existing maintenance program, but here is a standard policy that I always start with:

1. A designated group or individual is responsible for monitoring security mailing lists, vendor mailing lists, and specific web sites for the release of new patches.

2. New patches are reviewed and evaluated for relevance and criticality to the organization’s infrastructure. This step should occur within 24 hours of release of the patch.

3. If the patch is considered critical and active exploits exist, the patch should be installed as soon as possible. If the patch is critical and active exploits are not yet in the wild, patch installation can wait until the next scheduled maintenance window or until active exploits are released, whichever comes first.

4. For non-critical patches, installation can occur during regularly scheduled maintenance windows.

Don’t forget that all patches should be thoroughly tested before deployment.

A number of patch management products are on the market to help with this process, and I reviewed several of them in the past. (http://www.nwfusion.com/reviews/2002/0204bgrev.html) A new site is also online, www.patchmanagement.org, to discuss these very issues. I encourage you to subscribe to the mailing list and keep an eye on the site as they continue to expand its content.

Post a comment

RSS feed
Put Network World Comdex 2002 headlines on your site.