Pau Lo
asked on
patching and audit
What do (or should) auditors be looking for in terms of process and documentation for patching of windows servers (guests running 2008 server on esxi)? What kind of weaknesses or lack of documentation/process would they pick issue with? What is best general practice, what can go wrong with the process? If you have ever had your WSUS procedures or a corporate wide patch management policy audited, what areas did they focus on.
ASKER
Thanks
1)Do you maintain any sort of documentation on 'this is how we patch and the steps we follow?', if so what do you refer to this document as and is it important to have such a document?
2) Secondly how would an auditor verify the last patching exercise followed that process to the letter , what evidence would their be?
3) And thirdly do you set targets on patch application, ie 3 critical security patches released by MS - we aim to apply them within x days? If yes what do you refer to that target as?
1)Do you maintain any sort of documentation on 'this is how we patch and the steps we follow?', if so what do you refer to this document as and is it important to have such a document?
2) Secondly how would an auditor verify the last patching exercise followed that process to the letter , what evidence would their be?
3) And thirdly do you set targets on patch application, ie 3 critical security patches released by MS - we aim to apply them within x days? If yes what do you refer to that target as?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So is your overall workflow from patch release to patch applied documented? A scan of our systems show they are almost fully patched - but there's no real documentation on how they did the whole patching and decision process? Is this a big risk in your opinion? If yes can you elaborate why the patch process needs a documented step by step? Thanks
Do the patches which you are deploying,. fix a secutiry risk within your organisation?
how are the security patches being regression tested in your environment?