[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Patch  management controls checklist

Posted on 2013-01-28
Medium Priority
Last Modified: 2013-02-13
Can anyone assist with putting together a top level controls checklist of best practice “patch management controls” that should be followed for effective patch management of business critical (with high availability) database servers?

I.e. a list that our audit/risk teams should compare to (( “what should be being done, to what is being done”))  verify what is happening on these systems, to ensure for effective patch management.

Any sort of top 10 controls checklist would be useful. I can’t find much via Google.
If you have had experience in network and systems management before, especially from “availability perspective”, what would good patch management look like, what would you look for, what can typically be improved, what would poor patch management look like?
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 80

Accepted Solution

arnold earned 668 total points
ID: 38829792
Which OS database servers are involved?
Does a test environment exist?
Critical/security updates should be updated regularly in the test environment.
Then applied to the production.
Sql updates have to be applied to oth nodes, the OS updates can be applied individually to each node.

Analysis of possible attack vectors, I.e. what the issue an update is correcting and whether this type of access is possible. I.e. IE patch for zero day exploit. If the cluster in question has no Use of IE and has no access to any site, this update can be delayed. If on the other hand you have an SQL service zero day that a certain type of access can allow a remote ser .. Buffer overflow and you have unsecured systems that can access these systems should place this update higher on the to-be installed list.

Testing in a testing evironment when available is optimal.
LVL 65

Assisted Solution

btan earned 668 total points
ID: 38829812
Thought you should check out the nist SP800-40 draft rev3 talking on the challenges of the patch management technology and summarizing the SCAP based metric and recommending what to look out for as user may help. The process from identifying, installing to verifying are the check balances needed and most of the time the verification is ignored. Do you verified all systems are patch and to what level are they at...

The criticality for patch depends on enterprise policy on how stringent and serious about keeping in sync with the threat landscape and their risk exposure.  How is critical and emergency patch differs depends on the respond time and service level to internal and external customer. There is no one good bible to that...you are the best dictator. But I do see there is serious gap if patch never go through process to validate its integrity and staged it before making to production for release. Patch are also not bug free...the check is to proof its claim and delivered in trusted channel and logged it has been well received.

Form patching practices, business goes on and even if there is mandated downtime, there is still a active and passive or standby system to serve the mass users. At first we need that understanding else availability never come into picture. High availability is only achieved if there is a balanced system whereby any one time the standby is patched and traffic is swinged in application level one at a time till the active is the last to be patched...load balancer folks will knowbit best. Really bad scheme is a big bang without authorised agreement and policy backing for administrator to do it for a shared hosting infrastructure...notice need to be done and agreed upon. Contingency plan is needed if patch goes haywired or needed rollback. They should be tested just like we need to make BCP  are verified and not assumed.

Author Comment

ID: 38830243
Would you expect to see documented procedures per patch type, i..e this is the exact process we must follow when applying these patches to system type x.
LVL 65

Expert Comment

ID: 38831001
Patch method is best advice by the vendor supplying it so the steps follow it as recommended. But the user dictate the severity and risk of applying on actual system. Criticality from the vendor does not translate into user severity but is used as reference to gauge - security tm will better advise the sys admin. normally patch is packaged rather than going into many steps that can varied, go for official release patch rather than engineering hotfixes which then really need close guidance steps from vendor...(or packaged patch does not work and need manual "patching")
LVL 25

Assisted Solution

madunix earned 664 total points
ID: 38833962
When implementing updates, I prefer to plan ahead, test on a non-critical server, create a change plan B. Also after an update I prefer to restart the services or in some cases to reboot. Be sure to read the release notes, there may be special instructions related some packages/patches.

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question