Solved

patching and audit

Posted on 2013-02-07
4
456 Views
Last Modified: 2013-02-12
What do (or should) auditors be looking for in terms of process and documentation for patching of windows servers (guests running 2008 server on esxi)? What kind of weaknesses or lack of documentation/process would they pick issue with? What is best general practice, what can go wrong with the process? If you have ever had your WSUS procedures or a corporate wide patch management policy audited, what areas did they focus on.
0
Comment
Question by:pma111
  • 2
  • 2
4 Comments
 
LVL 119
ID: 38864588
firstly, it should not matter whether the server is physical or virtual, and also what OS type.

Do the patches which you are deploying,. fix a secutiry risk within your organisation?

how are the security patches being regression tested in your environment?
0
 
LVL 3

Author Comment

by:pma111
ID: 38864616
Thanks

1)Do you maintain any sort of documentation on 'this is how we patch and the steps we follow?', if so what do you refer to this document as and is it important to have such a document?

2) Secondly how would an auditor verify the last patching exercise followed that process to the letter , what evidence would their be?

3) And thirdly do you set targets on patch application, ie 3 critical security patches released by MS - we aim to apply them within x days? If yes what do you refer to that target as?
0
 
LVL 119

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 500 total points
ID: 38864653
1. All documentation is maintained by the patch system that's used. Patches are issued are checked, against Microsoft's KB to check what they do. Patches are then tested against the test environment, on a PASS OR FAIL basis, and documented on a monthly basis.

2. Check the Excel spreadsheets of Patches deployed and tested.

3. All patches are regression test, after patch Tuesday, and then applied a 7 days later, providing Change Control/Change Board Approve Patches for Services. Sometimes some patches are rolled out into schedules for server maintence windows.
0
 
LVL 3

Author Comment

by:pma111
ID: 38864673
So is your overall workflow from patch release to patch applied documented? A scan of our systems show they are almost fully patched - but there's no real documentation on how they did the whole patching and decision process? Is this a big risk in your opinion? If yes can you elaborate why the patch process needs a documented step by step? Thanks
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When converting a physical machine to a virtual machine using VMware vCenter Converter Standalone or vCenter Converter Enterprise, if an adapter type is not selected during the initial customization the resulting virtual machine may contain an IDE d…
Last article we focus in how to VMware: How to create and use VMs TAGs – Part 1 so before follow this article and perform the next tasks, you should read the first article how to create the TAG before using them in Veeam Backup Jobs.
Teach the user how to install ESXi 5.5 and configure the management network System Requirements: ESXi Installation:  Management Network Configuration: Management Network Testing:
Teach the user how to join ESXi hosts to Active Directory domains Open vSphere Client: Join ESXi host to AD domain: Verify ESXi computer account in AD: Configure permissions for domain user in ESXi: Test domain user login to ESXi host:

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question