13 for ’13 Jumpstart: Patch Management
A few weeks ago we published an article called 13 IT Projects to Include in Your Plans for 2013. In that post, we suggested 13 IT projects for you to consider, since as the New Year approaches, many IT departments start lining up their wish lists for the following year. We got several requests on the blog and on our social media pages asking for tips to help “jumpstart” some of these projects, so we decided to publish some follow-up articles to help do just that.
Our first project suggestion was Patch Management. Here’s what we had to say about patch management:
“Make 2013 the year you finally get patch management perfect, covering servers and workstations, operating systems and third party applications, and being able to report on status and push updates as needed. Patching will always be critical, but that doesn’t mean it has to be painful, and a good patch management solution should be at the top of everyone’s list.”
With that in mind, here are some tips to help you jump start this project:
Get senior management sponsorship
Executive sponsorship is critical to the success of any project and it should be there from the start. Find someone in the IT management team who understands how critical patching is to the security, management and performance of IT systems, and who can bring the needed authority to the project.
Create a team
Don’t try to come up with a patch management plan on your own. Include other members of IT. Smaller shops should include everyone, while larger organizations should make sure that there is at least one representative from each of the major IT teams. If you want everyone in IT to buy into this (and if you plan on succeeding, you need them to), then they need to have a say in how things will work.
Include project management
This is a critical project for any company, and as with any project, good project management can make the difference between success and failure. If you have a PMO (Project Management Office), engage with them from the very start. If you don’t, work with whoever in your company is best at project management, and get their assistance. This might be a great way for you to build up your own project management skills as well.
Identify what needs patching
Make a list of all the systems and applications that are in your environment, and rank them on how critical they are to patch. Obviously operating systems will be first on this list, and should include both your servers and your workstations, whether they come from Redmond, Cupertino or elsewhere. Then make a list of the apps your users depend upon. Microsoft Updates may take care of your Office apps, but what about your text editors, media readers, line of business applications, antivirus software, etc? You need to account for all of them, and manual patching is not going to work.
Determine your patching requirements
These should include compliance requirements, timelines, patching windows, responsible parties, exception processes, mitigation processes, etc.
Select and purchase a patching application
Patching is just too important to leave anything to chance, and too much work to handle manually. The only way to have a successful patch management program is to implement an application that can automate as much of your required patching as possible. Use the list of applications you created, and the requirements you established for patching, to evaluate available products and select the one that best meets your needs. Do not expect you will find one that will cover 100% of your needs. Between legacy applications, homegrown applications and the multitude of apps that are installed on your users’ workstations, it’s unlikely you will ever find one app that can patch everything. Think about the 80/20 rule, and make plans to handle any applications or systems that must be manually patched.
Your patch management application should support testing, auditing, reporting, rollbacks, scheduled and manual deployments, and you need to test those on your systems before you make your purchase. All the best patch management apps offer trial versions for customers to evaluate. Take advantage of that instead of just making a selection based on who has the best website.
Create testing procedures and have systems for testing
Whether you have a QA lab, or just designate a certain number of machines for earlier patching, you need to test all patches before you deploy them company-wide. No matter how much time and effort the vendors put into their patches, accidents will happen, and you would rather find that out on a handful of machines before you create issues for all of your machines.
Establish maintenance windows
It is absolutely essential that your patching program has designated windows when patching can occur and that these windows are honored. Only executive management should be able to declare that a patching activity must wait on something else; and when that does occur, patching must be allowed as soon as possible. Having that senior management sponsorship is key to getting this in place. Maintenance windows should be available at least once a month. Avoid the last weekend of the month so you don’t conflict with projects like end-of-month accounting or sales activities, and make sure that there are provisions for emergency patching in case some zero-day exploit threatens.
Don’t underestimate the importance of reporting
In-depth reporting is key to ensuring nothing is missed. Your patch management strategy should include regular auditing and reporting, and these reports should be reviewed to confirm that all systems are compliant. Use the reporting to keep on top of any systems that were granted a temporary exception to make sure they don’t fall through the cracks.
Include hardware in your plans
Make sure to include processes to update the firmware on your network routers and switches, your wireless access points, and firmware versions on your servers’ BIOS and network cards. You probably won’t ever find an application that can automate that for all the various hardware on your network, but you want to make sure that you don’t overlook these important needs.
Run quarterly audits of the patching reports and inspect a random sampling of servers, workstations and network gear to be sure your patch management solution is being applied as you intended. Don’t be afraid to update or change your processes and procedures if necessary.
And while it may not sound like it’s a part of patch management, running regular vulnerability scans against both your internal and external network will help identify new issues as they arise or anything that slips through the cracks. Schedule them to run at least monthly, and act on any issues immediately.
So now you have some tips to help you get started on patch management as a project, along with some of the key things to be sure you include to make this project a success. Management sponsorship, project management and consensus are all important as the more technical parts, even if they aren’t quite as sexy. Patch management is too important to let slip, and it’s in the best interests of the entire company to make sure this is a success.
If you have any questions or feedback, leave me a comment below and I’ll try to help.