The patch management process varies from organization to organization based on infrastructure size, organizational policy and size of the organization. Smaller organizations may assign a single administrator to take care of patch management and the network, while large enterprise offices may have specific person or a dedicated team to deal with patch management. In all instances, the reason for patch management is to keep applications up-to date, mitigate vulnerabilities and to meet with compliance standards.
Patch management involves a series of responsibilities assigned to a person/team who handles patch management. Responsibilities include:
• Identifying available patches or threats
• Deploying patches
• Compliance assessment & reporting
• Educating stakeholders
Identifying the available patches is the first step in patch management. The administrator should learn about their application landscape. They should be aware of software installed in the user desktops, servers etc. Only when the administrator has awareness about the environment, can they start identifying the necessary software that is needed to be patched.
Deploying patches involves testing the patch in test environment for possible errors and then deploying the patch. After deployment it is necessary to monitor the application environment to determine whether the patch was successful – did it cause performance issues or was the patch deployed to all needed systems.
Compliance involves regular audit and assessment of whether applications have been patched for known security vulnerabilities Audit reports help administrators understand:
• What systems need to be patched for a given vulnerability?
• Are the all systems in compliance?
One aspect of patch management is change management, which involves keeping in track of all updates. So, if anything goes wrong there is back-out plan-documentation of the version and configurations to roll back to. This documentation is also helpful in meeting audit requirements.
Education involves educating end-users as well management on why patch management is necessary. With education, you can explain your logic for how frequently updates are made. Updating regularly may cause system down-time which affects productivity, while not-patching increases the risk of vulnerability. So administrators need to educate users about patch management from security perceptive and also in-term of productivity.