…that includes assessing the risk, testing, scheduling, installing and verifying.
Risk assessment and testing
NetOps will assess the effect of a patch on the corporate infrastructure prior to its deployment. The department will also assess the affected patch for criticality relevant to each platform (for example, servers, desktops, printers and so on).
If NetOps categorises a patch as an Emergency, the department considers it an imminent threat to XYZ Networks' network. Therefore, XYZ Networks assumes greater risk by not implementing the patch, than waiting to test it before implementing.
Patches deemed Critical or Not Critical will undergo testing for each affected platform before release for implementation. NetOps will expedite testing for critical patches. The department must complete validation against all images (for example, Windows, Unix and so on) prior to implementation.
Notification and scheduling
NetOps' management must approve the schedule prior to implementation. Regardless of criticality, each patch release requires the creation and approval of a request for technical change (RTC) prior to releasing the patch. XYZ Networks' chief information security officer will decide when notifying staff is necessary.
Implementation
NetOps will deploy Emergency patches within eight hours of availability. As Emergency patches pose an imminent threat to the network, the release may proceed testing. In all instances, the department will perform testing (either pre- or post-implementation) and document it for auditing and tracking purposes.
Here is a sample timeline for releasing critical patches:
Available (A) = 0 Monday
Submit for testing: < A+ 1 day Tuesday
Approved: < A + 3 days Thursday
Release: < A + 5 Saturday
NetOps will obtain authorisation for implementing Critical patches via an emergency RTC and XYZ Networks' approval. The department will implement Not Critical patches during regularly scheduled preventive maintenance. Each patch will have an approved RTC. For new network devices, each platform will follow established hardening procedures to ensure the installation of the most recent patches.
Auditing, assessment and verification
Following the release of all patches, NetOps staff will verify the successful installation of the patch and that there have been no adverse effects.
User responsibilities and practices
It is the responsibility of each user — both individually and within the organisation — to ensure prudent and responsible use of computing and network resources.
Final thoughts
While this policy is simple, it spells out the details — specifically, who, why, when and how — that all policies should address. Once you have established your patch-management policy, don't let it be just a piece of paper — make sure the company follows it.
Mike Mullins has served as an assistant network administrator and a network security administrator for the US Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Centre.
