?
Solved

Best Practices for Critical and Security Patches in Banking Environment

Posted on 2014-03-23
5
Medium Priority
?
390 Views
Last Modified: 2014-04-11
We have a bank client with whom we provide IT and Managed Services.  In the new contract, they are asking us to provide, among other things,  the following:

       Quarterly analysis and delivery of customized patch bundle, monitor patches as released.  Critical Security Patches shall be addressed quarterly or on an as-need basis. Critical Patch Updates will be provided within 3 days after OEM release.  (FIRST ABC BANK needs to be notified on all critical and high risk alerts). All patches require testing prior to releasing into the FIRST ABC Bank environment.

QUESTION:  What is the best practical way to apply critical updates and security patches that meets these requirements?

Microsoft recommends updates to be applied in a test environment first to ensure compatibility.  This is impossible.  There is no way the bank can maintain a fully functional "test" environment with all their corporate applications installed and current, to "test" Microsoft's constant releases, critical updates, security updates, fixes to updates, fixes to fixes, etc.

We are being asked to sign the contract with such wording in the contract---test before deployment.  

Please provide recommendations!

Thanks in advance!

Regards,
SFJCPU
0
Comment
Question by:sfjcpu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 39948846
As part of the agreement and best practices, ask the bank to setup a test environment.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39948892
As mentioned above, setup a test environment with the same apps used in the bank.  Document the environment and run tests after applying the security updates. Maintain a log of results after each update is applied for your protection and the ability to backup the work you have performed.
0
 
LVL 25

Expert Comment

by:madunix
ID: 39949071
When implementing updates, I prefer to plan ahead, test on a non-critical server, create a change plan B, also be sure to read the release notes, there may be special instructions related some patches.
0
 

Author Comment

by:sfjcpu
ID: 39955886
Thanks for the above comments.  

With a complex network such as a banking environment, with many servers and applications, is it practical to set up an test environment where all Microsoft security and critical updates can be applied before deploying in the "real" network?  

Compliance requires them to be installed soon after release but there are unforseen risks when they are installed.  We all have a limited amount of time to research every patch!

I like "madunix's" comment on planning ahead, reading the release notes but it still comes down to deciding on:
1.  being compliant for the auditors,
2.  being at risk for having unpatched systems,
3.  taking the risk of installing updates in a live environment.  

This surely is a dilemma for many IT professionals!   How are others balancing the problem?
0
 
LVL 25

Accepted Solution

by:
Mohammed Khawaja earned 2000 total points
ID: 39955988
We are not a bank but what we do is that we create snapshots for virtualized environments prior to patching as well as system state backup and for non-virtualized, we ensure to take a system state backup of the servers.  In case of failure, we could revert the snapshot or system state.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question