Solved

patching and audit

Posted on 2013-02-07
4
460 Views
Last Modified: 2013-02-12
What do (or should) auditors be looking for in terms of process and documentation for patching of windows servers (guests running 2008 server on esxi)? What kind of weaknesses or lack of documentation/process would they pick issue with? What is best general practice, what can go wrong with the process? If you have ever had your WSUS procedures or a corporate wide patch management policy audited, what areas did they focus on.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 120
ID: 38864588
firstly, it should not matter whether the server is physical or virtual, and also what OS type.

Do the patches which you are deploying,. fix a secutiry risk within your organisation?

how are the security patches being regression tested in your environment?
0
 
LVL 3

Author Comment

by:pma111
ID: 38864616
Thanks

1)Do you maintain any sort of documentation on 'this is how we patch and the steps we follow?', if so what do you refer to this document as and is it important to have such a document?

2) Secondly how would an auditor verify the last patching exercise followed that process to the letter , what evidence would their be?

3) And thirdly do you set targets on patch application, ie 3 critical security patches released by MS - we aim to apply them within x days? If yes what do you refer to that target as?
0
 
LVL 120

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 500 total points
ID: 38864653
1. All documentation is maintained by the patch system that's used. Patches are issued are checked, against Microsoft's KB to check what they do. Patches are then tested against the test environment, on a PASS OR FAIL basis, and documented on a monthly basis.

2. Check the Excel spreadsheets of Patches deployed and tested.

3. All patches are regression test, after patch Tuesday, and then applied a 7 days later, providing Change Control/Change Board Approve Patches for Services. Sometimes some patches are rolled out into schedules for server maintence windows.
0
 
LVL 3

Author Comment

by:pma111
ID: 38864673
So is your overall workflow from patch release to patch applied documented? A scan of our systems show they are almost fully patched - but there's no real documentation on how they did the whole patching and decision process? Is this a big risk in your opinion? If yes can you elaborate why the patch process needs a documented step by step? Thanks
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
Giving access to ESXi shell console is always an issue for IT departments to other Teams, or Projects. We need to find a way so that teams can use ESXTOP for their POCs, or tests without giving them the access to ESXi host shell console with a root …
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question