Patching can be a big challenge when you have hundreds maybe even thousands of IT assets to manage. With information security initiatives, it helps when you have a documented process and policy by which to follow. You might like this simple 10-step patch management process template as well as a downloadable PDF that you can use for “office art.”
Step 1: Create an Inventory of all IT Assets
- Gather inventory on all server, storage, switch, router, laptops, desktops, etc. on the network and distributed throughout the organization. Inventory can be gathered manually or through automated discovery tools.
Step 2: Categorize By Risk & Priority
- Once you have collected an inventory of IT assets, categorize each asset by the number of applicable patches, risk (high, medium, or low) and what assets need immediate attention.
Step 3: Utilize a Test Lab Environment
- Once you’ve completed an inventory and categorization, create a test lab environment that mirrors your production environment. Test lab environment should try to replicate the applications that you will use to test current patch updates.
Step 4: Security Personnel Evaluate Patch Stability
- In this stage, a team member from your security team should be testing the stability of deploying patches to test or lab environment systems and applications.
Step 5: Monitor & Evaluate Lab Patch Updates
- Once patches have been deployed in lab, your security staff should monitor these patches for any updates and evaluate to see if any breaks occur.
Step 6: Create Backups on Production Environments
- After completing the testing in your lab environment, your staff should create a full backup of any data and any configurations setup within your environment. Personnel should also periodically test the backups and restore process to ensure it operates entirely.
Step 7: Implement Configuration Management
- After your backups have been created and all lab patches tested, any changes to your production environment should be proposed and documented in the Configuration Management (CM) tool. If you experience any challenges during the rollout, you can refer to the CM tool for reference.
Step 8: Roll out Your Patches to Production
- After going through Configuration Management, it is time to roll out your patches. Patch any mission-critical hardware or applications after business hours. This allows you to closely monitor the patches and implement any disaster recovery plans, as necessary.
Step 9: Ensure Your Patches are Maintained Regularly
- After your patches roll out, you should continue to closely monitor the status of hardware and applications on the network to make sure there are no breaks or problems.
Step 10: Document Your Patch Management Process
- Ensure your entire patch management process and procedures are documented within your general information security policies and procedures. Your patch management policy should cover critical updates, non-critical updates, and any regularly scheduled maintenance periods.
Hopefully, these helpful tips on patch management best practices will help you in the year ahead. Also, check out our previous post on the 'Realities of Patch Management Best Practices.' And, feel free to download and print our 10-step patch management process template below in PDF: