What you will learn from this tip: How to successfully deploy a patch management strategy.
Ask an IT manager what one of the most pressing issues they deal with and chances are they'll tell you keeping their systems patched against security vulnerabilities. Regardless of which operating systems you use in your data center, patches are a fact of life, and keeping every system patched against every vulnerability is a never ending task.
There are a variety of ways to go about deploying these patches, ranging from manual patching each computer and device in your enterprise to a fully automated system that provides rule-based installation and reporting capabilities. However, there's more to effective patch management than just getting the latest and greatest patch on a machine. Good processes and policies are essential for the success of any IT project, and patch management is no exception. This article will take a look at the three tasks that should be part of the planning portion of every patch management strategy.
Develop a written patching policy. Document all aspects of your patch management plan as a corporate policy, and make sure that all relevant employees are aware of the who, what, how, where, when, and why of your organization's patching strategy. This policy should include at a minimum:
- which systems will be patched
- how patches are prioritized
- the schedule according to which non-critical patches will be
- the manner in which critical patches will be handled
- testing required prior to deployment
Establish a hot team. The Hot Team responds to all newly identified critical patches. They put together a plan for action for the critical patches in accordance with the organization's patching policy, and oversee the execution of this plan. The team may also be responsible for continuous monitoring of security and patch information sites. It is a good idea to create a standard list of sources of patching information that will be relevant to your organization, and define the frequency that these resources are reviewed.
Create formal change control processes for deployment. Using formal change control processes for patch deployment is important for a number of reasons. First, your organization has a repeatable standard process by which a patch is physically rolled out, making deployment easier for the IT operations staff. Second, it's not uncommon for a patch installation to go south. A back-out plan is an essential part of any change control process. Communicating in advance to the patching team what needs to be done when things go wrong can help keep outages to a minimum.
As stated before, there is more to patch management than just patching systems against vulnerabilities. The systems must also continue to serve their intended functions. Specific actions taken when rolling out patches can cause a loss or reduction of service to your end users. An outage resulting from an unpatched vulnerability and an outage resulting from a patch rollout gone wrong are logically the same- an outage is an outage.
Document the policies and processes in each of these areas and incorporate them into standard operating procedures for your organization. Just by defining these areas, previously overlooked functional or non-functional requirements for the overall patching plan may be revealed, and make your entire strategy that much more effective.
About the author: Kackie Cohen is a Silicon Valley-based consultant providing data center planning and operations management to government and private sector clients. Kackie is the author of Windows 2000 Routing and Remote Access Service and co-author of Windows XP Networking.
This was first published in February 2008