We have a bank client with whom we provide IT and Managed Services. In the new contract, they are asking us to provide, among other things, the following:
Quarterly analysis and delivery of customized patch bundle, monitor patches as released. Critical Security Patches shall be addressed quarterly or on an as-need basis. Critical Patch Updates will be provided within 3 days after OEM release. (FIRST ABC BANK needs to be notified on all critical and high risk alerts). All patches require testing prior to releasing into the FIRST ABC Bank environment.
QUESTION: What is the best practical way to apply critical updates and security patches that meets these requirements?
Microsoft recommends updates to be applied in a test environment first to ensure compatibility. This is impossible. There is no way the bank can maintain a fully functional "test" environment with all their corporate applications installed and current, to "test" Microsoft's constant releases, critical updates, security updates, fixes to updates, fixes to fixes, etc.
We are being asked to sign the contract with such wording in the contract---test before deployment.
Please provide recommendations!
Thanks in advance!