Patch  management controls checklist

Posted on 2013-01-28
Last Modified: 2013-02-13
Can anyone assist with putting together a top level controls checklist of best practice “patch management controls” that should be followed for effective patch management of business critical (with high availability) database servers?

I.e. a list that our audit/risk teams should compare to (( “what should be being done, to what is being done”))  verify what is happening on these systems, to ensure for effective patch management.

Any sort of top 10 controls checklist would be useful. I can’t find much via Google.
If you have had experience in network and systems management before, especially from “availability perspective”, what would good patch management look like, what would you look for, what can typically be improved, what would poor patch management look like?
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 78

Accepted Solution

arnold earned 167 total points
ID: 38829792
Which OS database servers are involved?
Does a test environment exist?
Critical/security updates should be updated regularly in the test environment.
Then applied to the production.
Sql updates have to be applied to oth nodes, the OS updates can be applied individually to each node.

Analysis of possible attack vectors, I.e. what the issue an update is correcting and whether this type of access is possible. I.e. IE patch for zero day exploit. If the cluster in question has no Use of IE and has no access to any site, this update can be delayed. If on the other hand you have an SQL service zero day that a certain type of access can allow a remote ser .. Buffer overflow and you have unsecured systems that can access these systems should place this update higher on the to-be installed list.

Testing in a testing evironment when available is optimal.
LVL 64

Assisted Solution

btan earned 167 total points
ID: 38829812
Thought you should check out the nist SP800-40 draft rev3 talking on the challenges of the patch management technology and summarizing the SCAP based metric and recommending what to look out for as user may help. The process from identifying, installing to verifying are the check balances needed and most of the time the verification is ignored. Do you verified all systems are patch and to what level are they at...

The criticality for patch depends on enterprise policy on how stringent and serious about keeping in sync with the threat landscape and their risk exposure.  How is critical and emergency patch differs depends on the respond time and service level to internal and external customer. There is no one good bible to are the best dictator. But I do see there is serious gap if patch never go through process to validate its integrity and staged it before making to production for release. Patch are also not bug free...the check is to proof its claim and delivered in trusted channel and logged it has been well received.

Form patching practices, business goes on and even if there is mandated downtime, there is still a active and passive or standby system to serve the mass users. At first we need that understanding else availability never come into picture. High availability is only achieved if there is a balanced system whereby any one time the standby is patched and traffic is swinged in application level one at a time till the active is the last to be patched...load balancer folks will knowbit best. Really bad scheme is a big bang without authorised agreement and policy backing for administrator to do it for a shared hosting infrastructure...notice need to be done and agreed upon. Contingency plan is needed if patch goes haywired or needed rollback. They should be tested just like we need to make BCP  are verified and not assumed.

Author Comment

ID: 38830243
Would you expect to see documented procedures per patch type, i..e this is the exact process we must follow when applying these patches to system type x.
LVL 64

Expert Comment

ID: 38831001
Patch method is best advice by the vendor supplying it so the steps follow it as recommended. But the user dictate the severity and risk of applying on actual system. Criticality from the vendor does not translate into user severity but is used as reference to gauge - security tm will better advise the sys admin. normally patch is packaged rather than going into many steps that can varied, go for official release patch rather than engineering hotfixes which then really need close guidance steps from vendor...(or packaged patch does not work and need manual "patching")
LVL 25

Assisted Solution

madunix earned 166 total points
ID: 38833962
When implementing updates, I prefer to plan ahead, test on a non-critical server, create a change plan B. Also after an update I prefer to restart the services or in some cases to reboot. Be sure to read the release notes, there may be special instructions related some packages/patches.

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question