As you likely know already, having a strong patch management system will not only ensure you have the most recent updates for your operating systems and all the applications running on them, but will help you roll out new software and/or features effectively (and only to the users who need the upgrade), fix bugs, and greatly reduce security vulnerabilities.
Here are the 10 Steps That Many Experts Recommend
Ensure Your Inventory List is Current and Complete
Having a baseline inventory of all operating systems, application and firmware is the critical first step to ensuring you are able to accurately assess your organisation’s current patching status. Given this, it was surprising to learn that less than 50% of Canadian companies/ institutions have accurate or complete lists.
As part of this baseline inventory assessment, determine which version of each operating system and application is being used by each team member (or student, trainee or other stakeholder), on each of their connected devices.
Note: If your organization is too large or diversified to conduct a manual audit, there are automated patch management software solutions that can help.
Identify Endpoints that Need Patching
This is pretty self-explanatory, but it is included as separate point, because it often gets forgotten.
Develop a Standardization Plan – and Follow the Plan!
Running multiple versions of operating systems and/or applications can increase costs, as well as increase the likelihood of poor communication between systems, and of applications failing to operate as intended.
It is advisable to determine which version of each program you want users to be running, and develop a game plan to standardise use across the organisation. Obviously, this is more complex than simply upgrading to the latest version. Dependencies need to be considered, as well as any propriety changes that may have been made.
You also need to take into account hardware requirements to operate specific systems and applications. For instance, not every device that can easily and effectively run Windows 10, is capable of running Windows 11. Hence the need to include hardware in your inventory assessment.
Develop a Priority-Based Roll-Out Plan
If you are like most organisations, you will likely identity multiple updates and/or upgrades in Step #2. As it is very risky to deploy all patches at once, it makes sense to assess the vulnerabilities that each patch is intended to address, or the bugs it will “fix” – and assess the risk to your institution/ company of the patch not being deployed.
Then create your order of deployment, starting with the most critical ones, of course.
Test in a Safe Environment
Wherever possible, test a patch with a limited number of uses, or in a “lab-like” environment to ensure it does not cause problems for mission critical software.
If you are using a “lab”, limit the amount of time the patch spends here as you need to balance maintaining system functionality against the dangers of allowing a vulnerability to remain “unpatched”.
Test Patch Stability and Functionality
As part of #3, have your security team confirm that the patch is stable, doesn’t cause any of your operating systems or applications to crash, and that it does indeed address the vulnerability it is designed to correct.
In particular, you should also check that it works with all your security software and doesn’t impact anything negatively.
Run a Pilot Patch Deployment
Even if you test things perfectly, there can still be glitches. This gives you one last chance to fix anything that didn’t come up when using your “lab/safe” environment.
Catalogue Patches, Test Data and Deployment Details
Create, and update with every deployment, a list of the patches that were tested, the results and any changes needed to make things work together seamlessly.
Also, keep track of the date(s) that patches are pushed out, and what happens to the network post-deployment, as well as user responses (in particular, complaints received).
Develop a Patch Management Approval Process
Have a formal process in place to determine how decisions are to be made about which patches to deploy – or not. This process should also clearly delineate what steps are to be taken in making this determination, and who has the final authority about what to deploy, when.
Consider Using a Centralized Patch Management Server
This can give you even better control over your patching – and make your life easier, too.
I hope you found this info helpful. If you would like more information, please feel free to contact us: [email protected] or call us at 416.429.0796 or 1.877.238.9944 (toll free).
.webp)