What is Patch Management Policy?
The Patch Management Lifecycle involves a number of key steps in an area of system management; like acquiring, testing, and installing multiple patches of software or existing application. The administered computer system determines which patch requires to be updated. The system admin ensures that patches are installed properly, and all associated procedures are documented as per specific configurations required. This makes the process simple and easy.
Most software companies conduct Patch management as part of their internal process to fix issues with the software version. They also document the existing system and software tool. Some patches are functionality-based, which needs a thorough testing. The objective of software patches is to fix an issue which is noted during the release of the software. This is primarily done to analyze if there is any potential risk viz-a-viz to security.
Patch Management has undergone drastic changes over the period of time. It's a different ball game today. Earlier, when software was without a license, patches were stand-alone code modules available on the external media. The admin would simply add the code to the existing software program and run it. Today, things have moved on to the cloud.
Patches are available over the global IP network, and it gets updated automatically, which scans the system and alerts you for update. This helps the admin to analyze if there is anything more to be done to keep the system running seamlessly.
Patch Management Policy Best Practices
The increased complexity of IT infrastructure and network, and the ever growing threat of malware has been a challenge for every system administrator. The software installation and updates have grown significantly, and so is the speed at which the vulnerability strikes. To deal with Patch Management the system performs automated tasks - the admin performs timely deployment of updates.
- Keep the inventory as well all the systems including the operating systems and software versions, physical location, IP addresses upto date. Software tools including commercial tools. Keep your inventory your network at regular intervals.
- Standardize the production system and chalk out a plan about the different software version in the existing system. This will make your job easier next time when an update is scheduled.
- Make a list of all the components related to security control like firewalls, routers, Antivirus software etc and their configuration. Also keep a check list of non-standard configuration too, this will help you to execute things fast in case of vulnerability.
- Keep a list of vulnerability list and make a report of it, and then compare the reported vulnerabilities against your inventory list. Now segregate the vulnerabilities that can harm your system. Keep a dedicated resources to do this task and manage the process.
- Assess the risk and vulnerability and classify the risk accordingly. You can find servers and systems which are vulnerable and mission-critical. You can test the firewall if it is blocking the threat. This way you can classify and prioritize the risk. Three things should be on your list; severity of the threat, impact of vulnerability, the cost of recovery/mitigation.
- Finally, apply the patch after you have made sure all the above steps are taken care of. As a system now you have a clear idea which patch needs to be installed or updated. The most important part of patch management is ti evaluate the tool and find out how good it suits your requirement.
Patch management policy and Procedures
The patch management policy helps take a decision during the cycle. The policy cover clarification about patching strategy, and whether all patches should be automated, manual or default. There has to be a classification based on the seriousness of the security issue followed by the remedy. Patch Management is a set of generalized rules and solutions. The idea is to have a process in place that prevents load and compatibility problems.
The policy applies to all components of the IT infrastructure and includes; Computers, Servers, Software, Routers and switches, Peripherals, Databases and Storage.
Users should be made aware of the policy. Admin and IT staff are responsible to keep the system clean and safe and ensure the patches are updated regularly.
Risks
- Ensure to foresee risks, because without effective patch management chances are there could be unavailable, which can be caused due to viruses and malware exploiting systems or by out of date software making systems unstable.
Procedure
- Set the mode to Automate update of patches or do it manually. The anti-virus and other security components need to be checked and updated to the latest version.
- If the OS is Windows the patch management tools should be set in a way that it automatically downloads the latest Microsoft security patches. The patches will be reviewed and applied as appropriate.
- Periodical reviews on the supplier's website who provides servers, PC's tablets, printers, switches, routers and other peripherals check firmware patches.
- Linux systems should be updated with relevant patches and then tested and implemented accordingly.
- IT Department will be responsible for the approval of all the patches and take ownership of all technical updates starting from operating systems, software, antivirus, servers, workstations, patches, drivers of devices.
How to create creating a New Patch Management Policy
The administrator can create new patch management policies from the Policies interface for automatically and periodically install the patches and updates or third-party applications available from the patch management server onto individual endpoints or groups of endpoints covered by specific tags, registered for the selected customer account.
To add a new policy
- Select the customer account from the 'Customer Account' drop-down
- Open the policies interface by clicking the 'Policies' tab
- Click the 'Add Policy' button at the top right. The 'Create New Policy' dialog will open:
The Patch Management module allows administrators to create policies to automatically apply patches to endpoints according to a specific schedule. Creating a policy will keeps selected endpoints up-to-date without the administrator intervention. Policies are constructed by specifying the type of patch (operating system or third-party), the schedule for the operation, the target endpoints and various other criteria such as patch severity. The patch management module uses 'Cron' to execute the policy commands.