A patch management policy is important for keeping your system's security regularly updated. Patch management involves obtaining, testing, and installing several patches to the computer system in order to keep it safe against malware attacks. The tasks carried out during patch management include: keeping up to date on which patches are available, determining what patches are right for your system, making sure that these patches are properly installed, testing your system after installation, and documenting all related procedures.
The main reason for the implementation of a patch management policy is to define the process that IT security teams must follow to ensure that their systems and applications are up-to-date, known vulnerabilities are addressed and that the organization is compliant with several regulations and standards.
What should a patch management policy cover?
- Knowing what best suits your needs. An important component to include in a patch management policy is the analysis of information relating to both issues of security as well as the most recent patch releases available. It's vital to know what security issues and software updates are relevant to your particular environment. Your organization therefore should have an individual or a team that is in responsible for the security and management of systems and applications and their upkeep. This individual or team would also be responsible for updates and revisions to the existing policy.
- Relationships with key vendors. It's also important for an organization to maintain relationships with its chief operating system, application, and network device vendors which release and distribute information on product security issues and patches. These relationships can vary, from weekly or monthly calls to just subscriptions to a vendor's security announcement list. Keeping an eye on public web sites and mailing lists is also recommended. Information sources should be listed in the policy.
- Keep your system secure and reliable. History has shown time and again that systems that have not been patched are those that suffered serious security breaches and data loss. Depending on the size of the organization, patch management can prove a nightmare if managed manually and there is no policy in place. With a well-designed policy, coupled with a technology solution, security administrators will find their job much easier to do and the risk of mistakes being made greatly reduced.
- Compliance. A patch management policy enables organizations to have better control and supervision of their information resources, ensuring that they are in line with governance and regulatory compliance demands. Regular updating of this policy is a must.
- Costs. Dealing with a security breach can be very expensive for an organization. The costs go up even more if there is no proper plan in place to manage systems and applications. Inasmuch as a patch management policy guides security personnel on how to maintain their network, this policy will also provide guidance on what to do if something goes wrong. If something goes wrong, your IT staff needs to know what to do. Such a policy can save time and money and even prevent a security breach from becoming unmanageable.
With the ongoing threat of security being compromised, and given the huge and daunting task of patch management, it's almost certainly a good idea to have the essential procedures and responsibilities clearly defined through a detailed patch management policy.
Security Patch Management: Getting Started
Written by Enrica Garroni on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information at GFI patch management.