Guide to Patch and Vulnerability Management

Patch management best practices

A systemized approach eases the work of managing patches

• Create an enterprise group responsible for identifying, testing and executing patches. Members should include people from the security team and daily operations. The team should include patches in an overall change-management workflow so that less critical patches will not wait long to be tested and deployed. Such patches will instead be rolled out on a similar schedule as other upgrades, feature changes and the like.
  
• Use a phased approach to applying live patches. First apply them to a small test group of users before a universal patch. When working with the small test group, reboot after each patch, rather than after the entire set of patches, to help identify which patch may be troublesome. 
  
• Standardize IT configurations wherever possible. Obviously, though, no one has a completely standardized IT infrastructure. So in your test group for live patches be sure to include a sample for each typical configuration that you will routinely ask the patch management product to update.  
  
• Include a measurement phase after each patch is implemented. This should measure current levels of susceptibility to attack, but should also document the time needed for patching and the cost for patching. This will help you make informed future business decisions on the patching process.
  
• Automate the patch management process as much as possible.