Approach patch management from a policy perspective
I am in charge of developing a patch management policy for our organization (about 450 users). Before I begin creating a patching framework specific to my environment, are there any specific factors I should take into consideration?
It's great that you are approaching the issue of patch management from a policy perspective first -- this is definitely one of the keys to success. For an organization of your size, I would not make the policy overly complicated. At a minimum, ensure the following issues are accounted for in your policy:
- Proactively monitoring security issues and patch releases from key vendors
- Prioritizing and scheduling patches in your environment
- Testing patches in your environment before widespread rollout
- Tracking changes and updates to your environment (change management)
- Regularly auditing the environment to ensure compliance with general patch management guidelines
For further detail on these issues, see my white paper published on the patchmanagement.org site.
Other resources that should assist you with designing your policy include:
This was first published in March 2005