8 Replies Latest reply on Aug 23, 2012 12:55 AM by Sohail Bhamani

    Who Owns Patching?


      Our last couple of threads have talked about patching specifics.  One murky area for some organizations is who actually "owns" OS patching. 


      I've been in companies where the "boots on the ground", or operations teams did the patching.  I've also seen shops where security owns OS patching exclusively, and some where they simply set the policy.  I've even seen Operations teams patch and hand off to QA teams.  Some of the larger orgs I've been in have had a QA team actually execute the patching, and hand off to an Infrastructure team after testing.  This seems to be the best system I've run across so far.  It seems to vary wildly from company to company.


      I'm curious how it works in your company, and why.  Also, with your answer, specify how large your company is. 


      One other thing I'd be curious on is your take on the current owner.  Is it the right place for it?  Are you working to change it?


      Thanks for the good discussions so far!

        • Re: Who Owns Patching?

          Hi Brandon,


          We have a post in PatchZone covering this topic.  http://thwack.solarwinds.com/community/application-and-server_tht/patchzone/blog/2012/07/05/patch-management--roles-and-responsibilities


          We also have a survey taking place that also addresses this question: http://thwack.solarwinds.com/community/application-and-server_tht/patchzone/blog/2012/08/09/chance-for-a-500-gift-card-for-participating-in-a-quick-survey-on-patching-3rd-party-applications  The survey is still open through August 30th.


          The survey results so far have been: 40% sysadmin, 25% network admin, 7% IT ops, with a few responses being client/desktop engineer/admin and only a few responses as security ops.


          As far as your question about the right owner, that is a good one, and am interested to view responses to this question.

            • Re: Who Owns Patching?

              Thanks for the heads-up on that Jennifer.


              I guess that's proof that this is a topic that's on the minds of many, as we scramble to keep up with server sprawl and more frequent release schedules.


              In some ways, our jobs have gotten easier as a result of recent technology advances.  This seems to be one area where things are getting harder.

            • Re: Who Owns Patching?

              Our operations center does the patching, our security team defines the policy and our hosting services (sysadmins) manage the schedule.  The only complication is having enough resources in the operatsions center to do the work in the set window.


              Company size ~5000 employees, no plans to change how the process works, it seems to work fairly well.

              • Re: Who Owns Patching?

                Thats a tough call.  In my organization I am the IT department, so surely from that perspective it is all mine, but we do employ remote workers with non-domain joined laptops that are serviced through another solution (Windows Intune) for patching and updates. This service is not configured to prevent someone from going "hey I am going to load updates" but most surely wont do that... So it tends to fall back to me to manage and schedule and remem...

                • Re: Who Owns Patching?

                  In my case, I work for a government department. About 500 clients to patch. Our help desk does the patching (me). The testing is done by everyone in IT including the managers and developers. I am thinking of widening the test group shortly, because some applications that need testing are not located in IT. There is ny 2 cents.

                  • Re: Who Owns Patching?

                    In our company its the Operations team that is responsible for patching.  As we are quickly growing and looking to develop a security team there have been talks about moving the responsibility of patching to them.  I am in the process of implementing a new patch management system for our Windows systems so we are also in the process of implementing an entirely new process to make our patching service more comprehensive.


                    The idea of post patch testing is an interesting one.  As a MSP we have so many different environments it's not always clear what should be test.  We tend to rely on our monitoring system (SolarWinds NPM & SAM) to tell if something isn't working properly after testing as we try to monitor all of the mission critical bits.

                    • Re: Who Owns Patching?
                      Sohail Bhamani

                      In the positions I held through out my career, it has always been the sys admins jobs to perform the patching.  These are the guys who are responsible for the servers and so it seemed to always fall onto them.  I feel that security guys should be the ones who test the impact of the patch from a security perspective, however, let the experts at the server stuff do what they do best I say.