Security

Establish a patch management policy

Given the current state of security, patch management can easily become overwhelming, which is why it's a good idea to establish a patch management policy to define the necessary procedures and responsibilities. Here's a sample policy you can modify for your organization's needs.

Patch management is an issue that will always plague your organization's network. There will always be patches, updates, and security fixes to apply. Unfortunately, there will not always be unlimited time to evaluate and distribute fixes to close a security hole that attackers are currently exploiting.

Given the current state of security, patch management can easily become overwhelming. That's why it's a good idea to establish a patch management policy to define the necessary procedures and responsibilities.

Usually, I would discuss the components of a patch management policy and go over what such a policy needs to address, but this time I want to do something different. Rather than talking about which potential issues a policy should cover, let's look at a sample policy you can adapt to fit your organization's needs.

Sample patch management policy

Here's a sample patch management policy for a company we'll call XYZ Networks. If you don't have such a policy in your organization, you can use the following as a starting point.

Goal

It is the chief information officer's (CIO's) responsibility to provide a secure network environment for XYZ Networks' automated applications, staff, business partners, and contractors. As part of this goal, it is XYZ Networks' policy to ensure all computer devices (including servers, desktops, printers, etc.) connected to XYZ Networks' network have proper virus protection software, current virus definition libraries, and the most recent operating system and security patches installed.

NetOps Responsibility

The Network Operations (NetOps) division is responsible for the overall patch management implementation, operations, and procedures. While safeguarding the network is every user's job, NetOps is the division that ensures all known and reasonable defenses are in place to reduce network vulnerabilities while keeping the network operating. This responsibility includes the tasks detailed below.

Monitoring

NetOps will monitor security mailing lists, review vendor notifications and Web sites, and research specific public Web sites for the release of new patches. Monitoring will include, but not be limited to, the following:

  • Scanning XYZ Networks' network to identify known vulnerabilities.
  • Identifying and communicating identified vulnerabilities and/or security breaches to XYZ Networks' chief information security officer (CISO) and CIO.
  • Monitoring CERT, notifications, and Web sites of all vendors that have hardware or software operating on XYZ Networks' network.
Review and evaluation

Once alerted to a new patch, NetOps will download and review the new patch within four hours of its release. NetOps will categorize the criticality of the patch according to the following:

  • Emergency -- an imminent threat to XYZ Networks' network
  • Critical -- targets a security vulnerability
  • Not Critical -- a standard patch release update
  • Not applicable to XYZ Networks' environment

Regardless of platform or criticality, all patch releases will follow a defined process for patch deployment that includes assessing the risk, testing, scheduling, installing, and verifying.

Risk assessment and testing

NetOps will assess the effect of a patch to the corporate infrastructure prior to its deployment. The department will also assess the affected patch for criticality relevant to each platform (e.g., servers, desktops, printers, etc.).

If NetOps categorizes a patch as an Emergency, the department considers it an imminent threat to XYZ Networks' network. Therefore, XYZ Networks assumes greater risk by not implementing the patch than waiting to test it before implementing.

Patches deemed Critical or Not Critical will undergo testing for each affected platform before release for implementation. NetOps will expedite testing for critical patches. The department must complete validation against all images (e.g., Windows, UNIX, etc.) prior to implementation.

Notification and scheduling

NetOps' management must approve the schedule prior to implementation. Regardless of criticality, each patch release requires the creation and approval of a request for technical change (RTC) prior to releasing the patch. XYZ Networks' CISO will decide when notifying staff is necessary.

Implementation

NetOps will deploy Emergency patches within eight hours of availability. As Emergency patches pose an imminent threat to the network, the release may proceed testing. In all instances, the department will perform testing (either pre- or post-implementation) and document it for auditing and tracking purposes.

Here is a sample timeline for releasing critical patches:

Available              (A) = 0                     Monday

Submit for testing < A+ 1 day Tuesday

Approved < A + 3 days Thursday

Release < A + 5 Saturday

NetOps will obtain authorization for implementing Critical patches via an emergency RTC and XYZ Networks' approval. The department will implement Not Critical patches during regularly scheduled preventive maintenance. Each patch will have an approved RTC.

For new network devices, each platform will follow established hardening procedures to ensure the installation of the most recent patches.

Auditing, assessment, and verification

Following the release of all patches, NetOps staff will verify the successful installation of the patch and that there have been no adverse effects.

User responsibilities and practices

It is the responsibility of each user -- both individually and within the organization -- to ensure prudent and responsible use of computing and network resources.

Final thoughts

While this policy is simple, it spells out the details -- specifically, who, why, when, and how -- that all policies should address. Once you have established your patch management policy in place, don't let it be just a piece of paper -- make sure the company follows it.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
11 comments
sarah.kahler
sarah.kahler

Great article. From both the security and regulatory perspectives, it is critical that companies establish processes for identifying threats and implementing patches to prevent negative impacts to the business. Since the amount of threat data coming in from a variety of sources can be overwhelming for a security team, companies should focus on ways to consolidate threat data from trusted sources in order to determine the impact to the infrastructure. Also, having a means to automatically notify responsible personnel will allow them to proactively address those threats and better understand the overall security posture for the business.

jodie.swafford
jodie.swafford

How about some examples of how you test patches prior to deployment in your network? How do you ensure user's applications function correctly?

Roch.Skelton
Roch.Skelton

What are the options in use for patches to handheld devices, usually with MS Mobile 5 or 6, or perhaps Palm OS? A security patch (say to fix WEP or WPA problems) appears to require reimaging the OS by an authorized service center, without options for on-site updates.

forg3d
forg3d

This is an interesting format for a policy. It tends to read more like a procedure and there do not appear to be any quantifiable standards (e.g. time, etc) to enable quality metrics. The break down of a policy into policy statement, corollaries, standards, procedures, and monitoring may assist in make this structure more robust.

judith.tiheli
judith.tiheli

Can someone guide me regarding how I can establish automatic patches.

gtech.innovator
gtech.innovator

What is patch? is there any internet explorer 6.0 or for IE 7 patch available on internet?

kevinkfred
kevinkfred

I use the (free) Microsoft Windows Security Update Server (service?) for our 100 desktop / 20 server network. I have group policy defined to point all computers to the WSUS server for their patches. Two big reasons I went with it besides the automation - decreased Internet bandwidth consumed (only the WSUS server reaches out to Redmond for updates), systems that are blocked by our firewall from accessing the Internet (for security reasons) can get patches off of the local network. It seems to work very well for me.

ljarvis
ljarvis

We use Patchlink Update from Lumension (http://www.lumension.com). It works well for our 100+ Windows PCs and 17 or so Windows servers (but is not limited to Microsoft patches only -- it supports multiple operating systems and multiple software titles). Of course there is a cost for this software. If money is tight and you only use Microsoft products then you could use Microsoft Windows Server Update Services. I have never used it but hear it works relatively well considering it is free. I hope you find this information useful.

rwright142
rwright142

Does WSUS enable servers to be patched without being rebooted? It seems like patches released in the past 2 months or so have required my servers to be rebooted. A couple have even shutdown the servers! Unfortunately I clicked [OK] before I read where it said "Install patches and shutdown". I'm used to the usual "Install patches and reboot". I had to drive 45 minutes just to press the power button! Geez...

lemorehcor
lemorehcor

To add, other than patchlink and wsus there is Bigfix, Landesk and Shavlik. Bigfix and Landesk are agent based. Relevant patches can be scheduled for deployment as well as the reboots scheduled. Options are also present for the end user to snooze or cancel the installation as well as the system reboots. multiple patches may be installed(for windows) using q-chain and a single reboot performed. hope this is helpful....

wrey
wrey

yes, you can set up the updates from the WSUS server to be installed but not to reboot the servers or workstations. This is done thru group policy not WSUS. I hope this helps,

Editor's Picks