How To Manage A Patch Management Process



Similar documents
PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

ITIL Service Lifecycle Stream

Module 1 Study Guide

JOB DESCRIPTION. T&T Security and Resilience Manager. Technology and Telecommunications. Bedford, Chelmsford or Norwich

Guardian365. Managed IT Support Services Suite

BCS-ISEB Business Analysis Training

MS 10751A - Configuring and Deploying a Private Cloud with System Center 2012

UMHLABUYALINGANA MUNICIPALITY IT CHANGE MANAGEMENT POLICY

Applying ITIL v3 Best Practices

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Karen Winter Service Manager Schools and Traded Services

TECHNICAL VULNERABILITY & PATCH MANAGEMENT

Microsoft Software Update Services and Managed Symantec Anti-virus. Michael Satut TSS/Crown IT Support

JOB SPECIFICATION. Service Support Manager ORGANISATION CHART: JOB PURPOSE:

Management of Information Systems. Certification of Secure Systems and Processes

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Maestro Managed Services from Silicon allows organisations large and small to forget about internal IT systems management and support and instead

QUALITY MANAGEMENT IN VTS

Lot 1 Service Specification MANAGED SECURITY SERVICES

G-Cloud Service Definition. Atos Information Security Wireless Scanning Service

Marval Software Limited. G Cloud iii Framework Service Definition

IT & Asset Management Quick-Start Consulting Services for Clients

iso20000templates.com

Configuration Management System:

IT Service Continuity Management PinkVERIFY

Course 10751A: Configuring and Deploying a Private Cloud with System Center 2012

Configuration control ensures that any changes to CIs are authorized and implemented in a controlled manner.

Thales Service Definition for NOC Services for Cloud

pavassure Resolve Service desk Onsite diagnosis and recovery Enhanced hours support Monitor Event monitoring & alerting Reporting Services

PART II ITIL FOUNDATIONS FOR SNIA CERTIFICATION SERVICE DELIVERY & STORAGE MANAGEMENT. Dr. D. Akira Robinson, Dept of Navy American ITIL, Ltd.

ITIL A guide to service asset and configuration management

ISO/IEC Part 1 the next edition. Lynda Cooper project editor for ISO20000 part 1

Infrastructure Support Engineer Job Profile

G Cloud III Framework Lot 4 (SCS) Project Management

Configuring and Deploying a Private Cloud with System Center 2012

How small and medium-sized enterprises can formulate an information security management system

G-Cloud 6 Service Definition DCG Cloud Disaster Recovery Service

MS 20247C Configuring and Deploying a Private Cloud

How To Be An Itil Service Desk Manager

Computer Security: Principles and Practice

Patch Management Policy

Network Configuration Management

28400 POLICY IT SECURITY MANAGEMENT

Schedule 2Z Virtual Servers, Firewalls and Load Balancers

Job No. (Office Use) Directorate Corporate Services Department Programme Management Office Reports to (Job Title) If No state reason

MAXIMUM PROTECTION, MINIMUM DOWNTIME

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

MSP Service Matrix. Servers

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Job Description. The post-holder will be expected to implement and work within the University s Policies, Procedures and Guidelines.

D-G4-L4-126 Police contact management and demand reduction review Deloitte LLP Service for G-Cloud IV

Pegasus Business Cloud

ITIL Introducing service transition

Service Support Kasse Initiatives, LLC. ITIL Configuration Management - 1. version 2.0

A Decision Maker s Guide to Securing an IT Infrastructure

ISEB MANAGER S CERTIFICATE IN ITIL INFRASTRUCTURE MANAGEMENT. Guidelines for candidates who are taking the ICT Infrastructure Examination

SERVICE DEFINITION G-CLOUD 7 SECURE FILE TRANSFER DIODE. Classification: Open

D-G4-L4-231 Data Governance Assessment Design and Implementation Deloitte LLP Service for G- Cloud IV

ISO/IEC Part 1 the next edition

Auxilion Service Desk as a Service. Service Desk as a Service. Date January Commercial in Confidence Auxilion 2015 Page 1

BUSINESS CONTINUITY POLICY

Cyber Essentials Scheme

Policy Title: HIPAA Security Awareness and Training

Remote Infrastructure Support Services & Managed IT Services

Trainning Education Services Av. Paulista, º andar SP Tel/Fax: 55+ (11)

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

PATCH MANAGEMENT POLICY IT-P-016

ITIL v2 to v3 qualification conversion

Committees Date: Subject: Public Report of: For Information Summary

Patch Management Procedure. e-governance

ITIL: What is it? How does ITIL link to COBIT and ISO 17799?

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

MANAGEMENT SOLUTIONS SAFEGUARD BUSINESS CONTINUITY AND PRODUCTIVITY WITH MIMECAST

The Asset Management Landscape

Dedicated Hosted Exchange 2013

Microsoft Windows Intune: Cloud-based solution

September 2005 Report No FDIC s Information Technology Configuration Management Controls Over Operating System Software

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:

How To Manage A Service Transition

Cyber security and critical national infrastructure

CACI Cloud Consulting Services

Free ITIL v.3. Foundation. Exam Sample Paper 1. You have 1 hour to complete all 40 Questions. You must get 26 or more correct to pass

Job description. Job title: Server Infrastructure Analyst 1

The Education Fellowship Finance Centralisation IT Security Strategy

JOB DESCRIPTION QUESTIONNAIRE FOR SUPPORT STAFF

ICT Strategy

Practical IT Service Management: Rapid ITIL Without Compromise

Shmeisani: Al-Hussary Street Anshasi Sq P.O. Box Amman Jordan Telephone:

Transcription:

PATCH MANAGEMENT: CHANGE, CONFIGURATION AND RELEASE OR SOMETHING MORE? By Grant Adams Principal Consultant Fox IT March 2007 Fox IT 2007 Page 1 of 6

PATCH MANAGEMENT Ask many IT Managers what Patch Management is about and they ll respond that it is mostly the deployment of Service Packs and patches required to keep worms and viruses at bay. As IT infrastructure becomes more complex and businesses demand reduced downtime; coupled with the increasing anxiety around governance and regulatory compliance, e.g. Sarbanes-Oxley and HIPAA; IT Managers are required to gain greater and sustained control of their IT assets. To ensure these challenges can be met, IT Managers are increasingly endeavouring to ensure that the configuration of their infrastructure is consistent and secure. This is not limited to server operating systems and applications, but includes enterprise business applications; remote workers; desktop operating systems and office applications. With the rapid development of these and the decreasing time to exploit of recent worms and viruses, IT Managers are under mounting pressure to safeguard the confidentiality, integrity and availability of their infrastructures. This has ensured that Patch Management has a greater priority than ever before. Patch Management, like any other IT service, requires people, process and technology. The marketplace contains a plethora of automated software tools to manage and control patch deployments; but how can we ensure that these tools are executed appropriately by skilled, technical staff? Robust, dependable and repeatable processes, that s how! PATCH MANAGEMENT PROCESS DEVELOPMENT Many IT Managers have looked to best practice frameworks, such as ITIL and MOF to provide guidance in the development and execution of their Patch Management processes. Numerous organisations base their patch management process exclusively on change, configuration and release management. The benefit of this approach will help to ensure that the patch is deployed using standardised methods in order that the impact of any patch related incidents are minimised, and will also ensure that the IT infrastructure affected can be identified, controlled, maintained and verified whilst all aspects of the patch both technical and non-technical, are considered together. Whilst all of this is helpful, it still leaves many vital questions unanswered. TYPICAL PATCH MANAGEMENT PROCESS We may have implemented what, at first glance, appears to be an efficient process, but how do we identify what the unanswered questions are; why are they important and how do we answer them? Fox IT 2007 Page 2 of 6

To determine what those unanswered questions are, we need to examine the Patch Management strategy. If the strategy deals only with controlling patch deployments, then it is likely that there are few unanswered questions. But consider this; would the business and its stakeholders be satisfied with a well deployed patch that created service vulnerabilities? Absolutely not. Protecting the current environments is of equal importance to successfully deploying patches. This suggests that the scope of the strategy need to be broadened to include the protection of the existing test and production environments. Whilst it is generally accepted that any new software update, including patches need to be assessed; identified; evaluated and planned; and deployed, how can we ensure that all aspects of the service, technical and non-technical, that the patch supports are considered? How do we identify the required patches? What criteria are patches assessed against and how are they prioritised? What standards exist to manage the building, testing and implementing of patches? How will patches be decomposed prior to rebuilding? Where will they be tested? How will they be deployed and installed? Where will the configured patch be stored and how will it be stored? How will we assess the business impact? How will we recover from unsuccessful patches? How are standard builds updated to include deployed patches? All of these questions and many more can be identified and answered by mapping an organisation s Patch Management process to ITIL. Is the patch assessed for suitability, function and purpose? Are configuration details recorded? Is there a separate Test and Production environment? Is a record or inventory kept of the Production and Test environment s components? Is there an established testing area and methodology? Is there an established risk assessment and contingency planning methodology? How does identification of the need for an update occur? Is the update relevant to this environment? Are all the details of the update available, e.g. in bulletins or reports? Can a preferred implementation time be identified? Can the patch be obtained from source and verified as safe, secure and free from virus infection? Is a recognised Project methodology to be used? Are there dependencies to be planned for and managed, e.g. size, capacity constraints? Has the deployment method been identified, agreed and planned for? Is there a formal process for accepting new Releases or Updates into Deployment? Is there a mechanism for monitoring and controlling the deployment? Is there a mechanism for dealing with stalled or failed deployments? Is a new Baseline for the updated environment required? Fox IT 2007 Page 3 of 6

MAPPING PATCH MANAGEMENT TO ITIL Mapping an organisation s patch management requirements to best practice service management will ensure that all aspects of service management are considered in the development of the patch management process. Through this sort of mapping exercise it is possible to identify the activities that ensure that the patch is deployed properly and the production environment is protected. Fox IT 2007 Page 4 of 6

ENHANCED PATCH MANAGEMENT PROCESS DEVELOPMENT To assist in the identification of the questions that you need to answer, consider the objectives of the service management processes against the backdrop of patch management. For example; How will we fulfil our mandatory and/or regulatory requirements in the event of a service failure caused by a failed patch deployment? How will we manage business disruption during an incident caused by a failed patch deployment? In the event of service outage as a result of a failed patch deployment, how will we recover services efficiently in business priority order? Have we updated our Continuity plans to reflect recent patch deployments? IT Service Continuity Management It is only when you have considered all of these issues that you can begin to develop an enhanced patch management service that will ensure that your patches are deployed successfully whilst also protecting your test and production environments. Fox IT 2007 Page 5 of 6

ABOUT FOX IT Fox IT is a global IT Service Management and Governance company, providing organisations with consultancy and education in methodologies and technologies that help them to align their IT operations with their business strategy to ensure good IT Governance. Fox IT provides Patch Management services that are designed to ensure that an organisation has efficient Patch Management processes and has effective operations staff who understand their responsibilities and are able to achieve maximum benefit from the appropriate tools and technologies. Fox IT can be contacted by telephone on +44 (0) 1483 221200 or by email to sales@foxit.net. ABOUT THE AUTHOR Grant Adams is an experienced Service Management professional with over 16 years experience of technical, service, project and line management duties. Grant has qualifications in ITIL, MOF, ISO20000, Prince2 as well as many technical qualifications relating to the Microsoft environment. His experience includes many years in the planning, building, deploying and operating of medium to large Microsoft infrastructures. This has resulted in Grant being Fox IT s lead consultant in the delivery of IT Service Management in Microsoft Environments. He has developed and delivered service management consultancy services for the assessment and implementation of Patch Management; Managing Active Directory and Group Policy Objects; and Developing and Deploying Server Build Images using MS ADS. He is currently leading the development of consultancy and training services focused on Microsoft s Infrastructure Optimisation Initiative and Dynamic Systems Initiative. In addition Grant has worked with other technology suppliers to develop supporting processes such as Storage Management for Hitachi Data Systems. Grant was involved in the development of Fox IT s ISO20000 Service Line and brings practical experience of assisting a major UK banking organisation to achieve ISO20000 certification. Grant is also accredited by both the ISEB and EXIN to deliver service management training courses and is a Member of the British Computer Society. Fox IT 2007 Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information