Solved

patching and audit

Posted on 2013-02-07
4
459 Views
Last Modified: 2013-02-12
What do (or should) auditors be looking for in terms of process and documentation for patching of windows servers (guests running 2008 server on esxi)? What kind of weaknesses or lack of documentation/process would they pick issue with? What is best general practice, what can go wrong with the process? If you have ever had your WSUS procedures or a corporate wide patch management policy audited, what areas did they focus on.
0
Comment
Question by:pma111
  • 2
  • 2
4 Comments
 
LVL 120
ID: 38864588
firstly, it should not matter whether the server is physical or virtual, and also what OS type.

Do the patches which you are deploying,. fix a secutiry risk within your organisation?

how are the security patches being regression tested in your environment?
0
 
LVL 3

Author Comment

by:pma111
ID: 38864616
Thanks

1)Do you maintain any sort of documentation on 'this is how we patch and the steps we follow?', if so what do you refer to this document as and is it important to have such a document?

2) Secondly how would an auditor verify the last patching exercise followed that process to the letter , what evidence would their be?

3) And thirdly do you set targets on patch application, ie 3 critical security patches released by MS - we aim to apply them within x days? If yes what do you refer to that target as?
0
 
LVL 120

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 500 total points
ID: 38864653
1. All documentation is maintained by the patch system that's used. Patches are issued are checked, against Microsoft's KB to check what they do. Patches are then tested against the test environment, on a PASS OR FAIL basis, and documented on a monthly basis.

2. Check the Excel spreadsheets of Patches deployed and tested.

3. All patches are regression test, after patch Tuesday, and then applied a 7 days later, providing Change Control/Change Board Approve Patches for Services. Sometimes some patches are rolled out into schedules for server maintence windows.
0
 
LVL 3

Author Comment

by:pma111
ID: 38864673
So is your overall workflow from patch release to patch applied documented? A scan of our systems show they are almost fully patched - but there's no real documentation on how they did the whole patching and decision process? Is this a big risk in your opinion? If yes can you elaborate why the patch process needs a documented step by step? Thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Teach the user how to configure vSphere clusters to support the VMware FT feature Open vSphere Web Client: Verify vSphere HA is enabled: Verify netowrking for vMotion and FT Logging is in place or create it: Turn On FT for a virtual machine: Verify …
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question