Solved

patching and audit

Posted on 2013-02-07
4
451 Views
Last Modified: 2013-02-12
What do (or should) auditors be looking for in terms of process and documentation for patching of windows servers (guests running 2008 server on esxi)? What kind of weaknesses or lack of documentation/process would they pick issue with? What is best general practice, what can go wrong with the process? If you have ever had your WSUS procedures or a corporate wide patch management policy audited, what areas did they focus on.
0
Comment
Question by:pma111
  • 2
  • 2
4 Comments
 
LVL 117
ID: 38864588
firstly, it should not matter whether the server is physical or virtual, and also what OS type.

Do the patches which you are deploying,. fix a secutiry risk within your organisation?

how are the security patches being regression tested in your environment?
0
 
LVL 3

Author Comment

by:pma111
ID: 38864616
Thanks

1)Do you maintain any sort of documentation on 'this is how we patch and the steps we follow?', if so what do you refer to this document as and is it important to have such a document?

2) Secondly how would an auditor verify the last patching exercise followed that process to the letter , what evidence would their be?

3) And thirdly do you set targets on patch application, ie 3 critical security patches released by MS - we aim to apply them within x days? If yes what do you refer to that target as?
0
 
LVL 117

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE) earned 500 total points
ID: 38864653
1. All documentation is maintained by the patch system that's used. Patches are issued are checked, against Microsoft's KB to check what they do. Patches are then tested against the test environment, on a PASS OR FAIL basis, and documented on a monthly basis.

2. Check the Excel spreadsheets of Patches deployed and tested.

3. All patches are regression test, after patch Tuesday, and then applied a 7 days later, providing Change Control/Change Board Approve Patches for Services. Sometimes some patches are rolled out into schedules for server maintence windows.
0
 
LVL 3

Author Comment

by:pma111
ID: 38864673
So is your overall workflow from patch release to patch applied documented? A scan of our systems show they are almost fully patched - but there's no real documentation on how they did the whole patching and decision process? Is this a big risk in your opinion? If yes can you elaborate why the patch process needs a documented step by step? Thanks
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

It Is not possible to enable LLDP in vSwitch(at least is not supported by VMware), so in this article we will enable this, and also go trough how to enabled CDP and how to get this information in vSwitches and also in vDS.
This article will show you how to create an ISO CD-ROM/DVD-ROM image (*.iso), and MD5 checksum signature, for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5). It's a good idea to compare checksums, because many installations fail because of a corr…
Teach the user how to use create log bundles for vCenter Server or ESXi hosts Open vSphere Web Client: Generate vCenter Server and ESXi host log bundle:  Open vCenter Server Appliance Web Management interface and generate log bundle: Open vCenter Se…
Teach the user how to join ESXi hosts to Active Directory domains Open vSphere Client: Join ESXi host to AD domain: Verify ESXi computer account in AD: Configure permissions for domain user in ESXi: Test domain user login to ESXi host:

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now