How an
enterprise decides to manage patch administration probably varies based on who
is doing it, the maturity of the Vulnerability Management program, and the
business’ tolerance of maintenance windows.
In my opinion patching should be broken into four categories:
(1)
Infrastructure. This would be servers, devices, applications
that are used by IT and can be patched with no impact to business users or
business processes. This patching can
be accomplished as often as necessary, but monthly will probably work out the
best.
(2) Servers / Operating Systems.
This category includes the Windows and / or Linux servers in the
environment. This is where IT management
needs to get a recurring maintenance window from the business that is always
available for IT to use whether it is needed or not. In my humble opinion this window should be
available weekly. While we are probably
not going to patch weekly, this windows can be used to fix application
problems, apply emergency / critical patches, etc… Server patching probably can’t be performed
more that quarterly because you will need time to test patches in the non-prod
environment.
(3)
Applications. This category includes business applications
such as ERP systems, HR systems, etc…
These systems should be patched during the maintenance window arranged
by IT management above. How often this
patching occurs will depend on the business’ desire because it will take good
amount of resources to test the patches and identify any impacts on systems
that may feed or receive data from the patched system. Twice a year maybe the best case scenario; once
a year maybe the answer the schedule that works best for the business.
(4)
Workstations. This is where the biggest risk may be located
for the enterprise. While the endpoint
security (anti-virus, anti-malware, etc…) should be updating daily, OS patching
should be applied monthly. If a standard
desktop image is used, testing should be pretty straightforward and a reboot by
users once a month isn’t to much to ask.
No matter
what schedule an enterprise decides on, the key is management buy-in and
communications to the user community.
Once the schedule is set, stick to it and only deviate in rare and
unique situations.
Until next
time…
~Skeeter