Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Who Owns Patching?

Our last couple of threads have talked about patching specifics. One murky area for some organizations is who actually "owns" OS patching.

I've been in companies where the "boots on the ground", or operations teams did the patching. I've also seen shops where security owns OS patching exclusively, and some where they simply set the policy. I've even seen Operations teams patch and hand off to QA teams. Some of the larger orgs I've been in have had a QA team actually execute the patching, and hand off to an Infrastructure team after testing. This seems to be the best system I've run across so far. It seems to vary wildly from company to company.

I'm curious how it works in your company, and why. Also, with your answer, specify how large your company is.

One other thing I'd be curious on is your take on the current owner. Is it the right place for it? Are you working to change it?

Thanks for the good discussions so far!

Find more posts tagged with

patch

patch_management

patch_manager

Accepted answers

All comments

jkuvlesk

Hi Brandon,

We have a post in PatchZone covering this topic. http://thwack.solarwinds.com/community/application-and-server_tht/patchzone/blog/2012/07/05/patch-management--roles-and-responsibilities

We also have a survey taking place that also addresses this question: http://thwack.solarwinds.com/community/application-and-server_tht/patchzone/blog/2012/08/09/chance-for-a-500-gift-card-for-participating-in-a-quick-survey-on-patching-3rd-party-applications The survey is still open through August 30th.

The survey results so far have been: 40% sysadmin, 25% network admin, 7% IT ops, with a few responses being client/desktop engineer/admin and only a few responses as security ops.

As far as your question about the right owner, that is a good one, and am interested to view responses to this question.

joelgarnick

Our operations center does the patching, our security team defines the policy and our hosting services (sysadmins) manage the schedule. The only complication is having enough resources in the operatsions center to do the work in the set window.

Company size ~5000 employees, no plans to change how the process works, it seems to work fairly well.

derekschauland

Thats a tough call. In my organization I am the IT department, so surely from that perspective it is all mine, but we do employ remote workers with non-domain joined laptops that are serviced through another solution (Windows Intune) for patching and updates. This service is not configured to prevent someone from going "hey I am going to load updates" but most surely wont do that... So it tends to fall back to me to manage and schedule and remem...

briley

Thanks for the heads-up on that Jennifer.

I guess that's proof that this is a topic that's on the minds of many, as we scramble to keep up with server sprawl and more frequent release schedules.

In some ways, our jobs have gotten easier as a result of recent technology advances. This seems to be one area where things are getting harder.

briley

Joel:

Do you find that your Ops staff is capable enough of thorough post-patch testing? That's one of the main issues I run into, and why I wanted to see how others were handling it.

Thanks!

antwesor

In my case, I work for a government department. About 500 clients to patch. Our help desk does the patching (me). The testing is done by everyone in IT including the managers and developers. I am thinking of widening the test group shortly, because some applications that need testing are not located in IT. There is ny 2 cents.

byrona

In our company its the Operations team that is responsible for patching. As we are quickly growing and looking to develop a security team there have been talks about moving the responsibility of patching to them. I am in the process of implementing a new patch management system for our Windows systems so we are also in the process of implementing an entirely new process to make our patching service more comprehensive.

The idea of post patch testing is an interesting one. As a MSP we have so many different environments it's not always clear what should be test. We tend to rely on our monitoring system (SolarWinds NPM & SAM) to tell if something isn't working properly after testing as we try to monitor all of the mission critical bits.

Sohail.Bhamani

In the positions I held through out my career, it has always been the sys admins jobs to perform the patching. These are the guys who are responsible for the servers and so it seemed to always fall onto them. I feel that security guys should be the ones who test the impact of the patch from a security perspective, however, let the experts at the server stuff do what they do best I say.