Patching can be a big challenge when you have hundreds maybe even thousands of IT assets to manage. With information security initiatives, it helps when you have a documented process and policy by which to follow. Consider this simple 10-step patch management process:
Step 1: Create an Inventory of all IT Assets
Gather inventory on all server, storage, switch, router, laptops, desktops, etc. on the network and distributed throughout the organization. Inventory can be gathered manually or through automated discovery tools.
Step 2: Categorize By Risk & Priority
Once you have collected an inventory of IT assets, categorize each asset by the number of applicable patches, risk (high, medium, or low) and what assets need immediate attention.
Step 3: Utilize a Test Lab Environment
Once you’ve completed an inventory and categorization, create a test lab environment that mirrors your production environment. Test lab environment should try to replicate the applications that you will use to test current patch updates.
Step 4: Security Personnel Evaluate Patch Stability
In this stage, a team member from your security team should be testing the stability of deploying patches to test or lab environment systems and applications.
Step 5: Monitor & Evaluate Lab Patch Updates
Once patches have been deployed in lab, your security staff should monitor these patches for any updates and evaluate to see if any breaks occur.
Step 6: Create Backups on Production Environments
After completing the testing in your lab environment, your staff should create a full backup of any data and any configurations setup within your environment. Personnel should also periodically test the backups and restore process to ensure it operates entirely.
Step 7: Implement Configuration Management
After your backups have been created and all lab patches tested, any changes to your production environment should be proposed and documented in the Configuration Management (CM) tool. If you experience any challenges during the rollout, you can refer to the CM tool for reference.
Step 8: Roll out Your Patches to Production
After going through Configuration Management, it is time to roll out your patches. Patch any mission-critical hardware or applications after business hours. This allows you to closely monitor the patches and implement any disaster recovery plans, as necessary.
Step 9: Ensure Your Patches are Maintained Regularly
After your patches roll out, you should continue to closely monitor the status of hardware and applications on the network to make sure there are no breaks or problems.
Step 10: Document Your Patch Management Process
Ensure your entire patch management process and procedures are documented within your general information security policies and procedures. Your patch management policy should cover critical updates, non-critical updates, and any regularly scheduled maintenance periods.
To learn more about our IT Managed Security Service offerings, and for a Complementary Technology Assessment, contact Ocean Computer Group today. 1.800.722.7032 | www.oceancomputer.com