How an enterprise decides to manage patch administration probably varies based on who is doing it, the maturity of the Vulnerability Management program, and the business’ tolerance of maintenance windows. In my opinion patching should be broken into four categories:
(1) Infrastructure. This would be servers, devices, applications that are used by IT and can be patched with no impact to business users or business processes. This patching can be accomplished as often as necessary, but monthly will probably work out the best.
(2) Servers / Operating Systems. This category includes the Windows and / or Linux servers in the environment. This is where IT management needs to get a recurring maintenance window from the business that is always available for IT to use whether it is needed or not. In my humble opinion this window should be available weekly. While we are probably not going to patch weekly, this windows can be used to fix application problems, apply emergency / critical patches, etc… Server patching probably can’t be performed more that quarterly because you will need time to test patches in the non-prod environment.
(3) Applications. This category includes business applications such as ERP systems, HR systems, etc… These systems should be patched during the maintenance window arranged by IT management above. How often this patching occurs will depend on the business’ desire because it will take good amount of resources to test the patches and identify any impacts on systems that may feed or receive data from the patched system. Twice a year maybe the best case scenario; once a year maybe the answer the schedule that works best for the business.
(4) Workstations. This is where the biggest risk may be located for the enterprise. While the endpoint security (anti-virus, anti-malware, etc…) should be updating daily, OS patching should be applied monthly. If a standard desktop image is used, testing should be pretty straightforward and a reboot by users once a month isn’t to much to ask.
No matter what schedule an enterprise decides on, the key is management buy-in and communications to the user community. Once the schedule is set, stick to it and only deviate in rare and unique situations.
Until next time…