Any IT professional knows that keeping system patches up to date is critical, especially since patches address critical functions like security and stability. With recent security issues such as Spectre and Meltdown, the importance of patches is becoming more important, but even patches pose risks at times. It takes an informed IT team to manage which patches are appropriate and what techniques are needed to install them.
Patch management isn't as easy as installing whatever recommendations your system offers - there's much more to it than that. IT teams must take into account the specific (and often custom) architecure of their environments, integration points, and how hardware and software could be affected. At worst, ports could be closed, infrastructure could be disabled, and the system could fail. To combat this, six steps in a proper patch management plan should be taken. They are:
- Make a priority of patch management: By prioritizing patch management over other IT tasks, team members have the necessary time to install and test patches.
- Keep an up to date inventory: IT needs an accurate accounting of every asset in the inventory to know which patches are needed and when. It's suggested that enterprises work towards hardware and software standardization to make this task easier.
- Test, test, test: Evaluate systems for potential patch conflicts, and then methodically install said patches with plenty of testing afterwards. If possible, build a test environment isolated from your production environment.
- Accept that it will be difficult: The process of patching, especially on a large system, will not be easy. However, accepting that the process is a necessary evil for the safety and stability of the system will make it all the more palatable to complete.
- Put someone in charge: Any IT tech can install patches, but it's important to maintain accountability for patches being managed. By assigning an IT tech to oversee patches there's a better chance that patches are installed, tested, and updated.
- Keep a record: Having detailed records of the who/what/when/where/why of patch maintenance makes future maintenance easier, especially if there's turnover in your IT department.
These suggestions can be more easily accomplished via patch management software (either commercial or bespoke), or, for smaller enterprises, strict adherence to a comprehensive patch policy. Making a good habit of patch disclipline not only helps to proactively safeguard systems, it familiarizes IT departments with the process when crisis hits and patches are needed immediately. By doing this, systems can be kept online and in production.
This article was based on an April 11, 2018 IT News article by Mary K. Pratt.