General discussion

  • Creator
  • #2188879

    Patch Managment and Patching Policies


    by dacook ·

    I am looking for resources or advice for writing a patch management policy.

    I am wondering what other companies are doing that have mixed environments (Windows, Linux, Solaris and Mac). I know this is a vague question, but I am just trying to get others opinions and other view points on what needs to be included and what to avoid in writing these? Are there any SOXX requirements when it comes to patching that needs to be taken in to account. (We currently are not required to pass SOXX audits, but I want to write it so it will pass the SOXX muster)

All Comments

  • Author
    • #3115050


      by modster ·

      In reply to Patch Managment and Patching Policies

      Some companies have automated patch management through various tools available on the market which can assist in the scheduling of your patches. For instance, if a “0-day” patch comes out (something with a critical vulnerability), it would make sense to patch ASAP with little to no testing in advance. Depending on the criticality of the patch and what it is doing, you can decide at what level do you want to regression test prior to releasing or what an acceptable amount of time for release is for your organization. In regards to SOX, I’m really not an expert and would hate to lead you on. From what I understand is that it is all in the interpretation and making an effort in good faith to keep your systems and data protected. Bottom line, you need to look at the industry you are in, to what level you want to protect your data and what your definitions of various pacthing levels are. Once you’ve defined the requirements, then move on to making policy that supports it.

      • #3136439

        Make a policy and stick with it!

        by drewtipton ·

        In reply to Depends…

        I remember doing some Sarb-Ox work a while back at one of my former companies…
        One of the recurring themes that kept coming back (we were, at the time, looking at desktop and email backup systems) was that nearly anything was acceptable, provided that you had a policy and STUCK TO IT!
        I know that email recoverability was a major thing. My company at the time worked around that by authoring a policy that email backups were to be kept for 90 days only. To that end, they turned off remote-mail access and required users to maintain their email on the servers only. They also audited desktops to make sure that emails weren’t being saved. When the Sarb-Ox auditors came in, that passed muster, until they found one user (one of the other sysadmins, in fact) that had exempted himself from the server-only policy and had downloaded all of his email. That caused us to fail the audit (fortunately, it was only a preliminary, and not the “full” audit), and very nearly cost that admin his job.

        Just write your policy and stick to it. As long as you do that, they can’t fault you.

Viewing 0 reply threads