The first step is to put together your team that will be responsible for patching your organization’s systems. Team members should include folks from your security team, system administrators, and relevant business operations personnel. You should also collect the contact information for key system stakeholders in case you need to inform them of patch deployments.
System Inventory Management
To have an effective patch and vulnerability management program you need to have an accurate inventory of your systems. This includes laptops, servers, printers, scanners, network devices, and any software installed on your systems. How can you patch something if you don’t know that you have it? I would recommend using a dedicated inventory management tool to track your systems instead of excel spreadsheets. Inventory management tools can provide detailed information about most of your systems.
Continuous Vulnerability Monitoring
In an ideal world you would patch or remediate every vulnerability as soon as you detect it. In the real world however IT teams can be short of staff and may not be able to patch every vulnerability in a timely manner. This is why you want to prioritize high risk vulnerabilities before addressing lower risk vulnerabilities. Thankfully tools like Nessus categorize vulnerabilities for you, making it easy to determine which ones you should address first.
Remediation Database
You need to be tracking the vulnerabilities detected by your vulnerability scanner and the actions you have taken or plan to take to remediate them. You can document these in what is known as a remediation database. You can use an excel sheet to accomplish this.
Patch and Remediation Testing
Before deploying any patches or remediations you need to test them in a test environment. Deploying patches or vulnerability remediations directly to your production environment without any testing may result in unexpected downtime that can impact business operations.
Informing Administrators of Remediations
After testing your patches and remediations you need to inform the point of contact and any administrators who manage the system you seek to patch. That way if something goes wrong after the deployment they know what the likely cause was.
Verifying Remediation
After deploying patches and remediations you need to verify that they were applied. This can be accomplished by rescanning your systems with your vulnerability scanner.
Conclusion
With the information I provided in this post you should be able to put together a nice patch management program to help keep the bad guys.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.