With security worries at all-time highs, security patches are no longer something that can be put off, ignored, or treated lackadaisically. In fact, some industries and states are enacting regulations that require companies that house or deal with personal identifying information to conduct regular patch updates. Specific wording in legislation and regulations differ, and often leave the timing of updates ambiguous with words like “reasonably up to date.” However, every IT service desk should have a patch policy in place defining how, when, and how often security patches are updated.
What is a Patch Policy?
A patch policy is an internal policy that governs when, how, and how often security patches must be updated. Naturally, the policy should be at least as stringent as any industry regulations or state mandates your business operates under. But for businesses that aren’t regulated from outside agencies, it’s up to you to establish a suitable policy.
Many software vendors release patches weekly or as needed, such as when a new threat is identified in the Internet. Microsoft has long used Patch Tuesday, which changed to Update Tuesday, which is a mass release of all security and system updates that occurs on the second Tuesday of each month. Apple regularly releases patches for the Mac OS and iOS. Vendors like Adobe, browsers, and other third party applications, have their own schedules for releasing patches. Use your software asset management system to keep up with when important patches are released.
What is a Good Patch Policy to Employ?
For important office software like operating systems and regularly used browsers, once per week is probably a good distance between regular updates. It isn’t recommended that businesses use automated patches, such as is offered by Microsoft. It’s better to test each patch before installing and applying it, because sometimes these patches have unintended problems with other software, especially certain enterprise-level software.
In addition to downloading and installing patches, your service desk will need to choose an off-peak time to reboot systems, as many patches require a reboot in order to become effective. This is often done in the middle of the night or early in the morning before most users arrive. It’s important to communicate the scheduled reboot times to managers so that any users working outside normal business hours will be aware that the system will shut down at a particular time. A solid IT service management system usually has tools available to help schedule security patch updates.
Tips & Tricks: Hardware Drivers, User Machines, and Other Sticky Situations
In addition to scheduling patches and reboots when it’s most convenient for the business, you’ll need to plan for things like hardware driver installation and updates, as well as reboots for user machines. Most professionals consider best practices to include hardware driver installation on an as-needed basis. Regarding user reboots, many companies just request that users reboot their systems at least once per week. If users forget or fail to do this, you can also consider a policy requiring users to shut down their machines for the weekend, which not only assures a weekly reboot but also saves on power costs over time.
Any time that a particularly malicious threat is running rampant across the Internet, it’s probably a good idea to move the patch schedule ahead. Just be sure the vendors have addressed the threat before installing the patch and letting your guard down.