Solved

Patch  management controls checklist

Posted on 2013-01-28
5
918 Views
Last Modified: 2013-02-13
Can anyone assist with putting together a top level controls checklist of best practice “patch management controls” that should be followed for effective patch management of business critical (with high availability) database servers?

I.e. a list that our audit/risk teams should compare to (( “what should be being done, to what is being done”))  verify what is happening on these systems, to ensure for effective patch management.

Any sort of top 10 controls checklist would be useful. I can’t find much via Google.
If you have had experience in network and systems management before, especially from “availability perspective”, what would good patch management look like, what would you look for, what can typically be improved, what would poor patch management look like?
0
Comment
Question by:pma111
5 Comments
 
LVL 76

Accepted Solution

by:
arnold earned 167 total points
Comment Utility
Which OS database servers are involved?
Does a test environment exist?
Critical/security updates should be updated regularly in the test environment.
Then applied to the production.
Sql updates have to be applied to oth nodes, the OS updates can be applied individually to each node.

Analysis of possible attack vectors, I.e. what the issue an update is correcting and whether this type of access is possible. I.e. IE patch for zero day exploit. If the cluster in question has no Use of IE and has no access to any site, this update can be delayed. If on the other hand you have an SQL service zero day that a certain type of access can allow a remote ser .. Buffer overflow and you have unsecured systems that can access these systems should place this update higher on the to-be installed list.

Testing in a testing evironment when available is optimal.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 167 total points
Comment Utility
Thought you should check out the nist SP800-40 draft rev3 talking on the challenges of the patch management technology and summarizing the SCAP based metric and recommending what to look out for as user may help. The process from identifying, installing to verifying are the check balances needed and most of the time the verification is ignored. Do you verified all systems are patch and to what level are they at...

The criticality for patch depends on enterprise policy on how stringent and serious about keeping in sync with the threat landscape and their risk exposure.  How is critical and emergency patch differs depends on the respond time and service level to internal and external customer. There is no one good bible to that...you are the best dictator. But I do see there is serious gap if patch never go through process to validate its integrity and staged it before making to production for release. Patch are also not bug free...the check is to proof its claim and delivered in trusted channel and logged it has been well received.

Form patching practices, business goes on and even if there is mandated downtime, there is still a active and passive or standby system to serve the mass users. At first we need that understanding else availability never come into picture. High availability is only achieved if there is a balanced system whereby any one time the standby is patched and traffic is swinged in application level one at a time till the active is the last to be patched...load balancer folks will knowbit best. Really bad scheme is a big bang without authorised agreement and policy backing for administrator to do it for a shared hosting infrastructure...notice need to be done and agreed upon. Contingency plan is needed if patch goes haywired or needed rollback. They should be tested just like we need to make BCP  are verified and not assumed.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Would you expect to see documented procedures per patch type, i..e this is the exact process we must follow when applying these patches to system type x.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Patch method is best advice by the vendor supplying it so the steps follow it as recommended. But the user dictate the severity and risk of applying on actual system. Criticality from the vendor does not translate into user severity but is used as reference to gauge - security tm will better advise the sys admin. normally patch is packaged rather than going into many steps that can varied, go for official release patch rather than engineering hotfixes which then really need close guidance steps from vendor...(or packaged patch does not work and need manual "patching")
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 166 total points
Comment Utility
When implementing updates, I prefer to plan ahead, test on a non-critical server, create a change plan B. Also after an update I prefer to restart the services or in some cases to reboot. Be sure to read the release notes, there may be special instructions related some packages/patches.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now