This is my last article in my patch management series. In previous articles I have described many of the challenges of patch management. In this article, I am wrapping up this series discussing the role of security policies and the importance of implementing robust patch management processes.
All security frameworks refer to the importance of security policies within the organization. Security Policies provide the requirements or expectations for securing certain aspects of the enterprise. Each organization will develop a set of policies that align with their overall governance models and culture.
Typically these will follow some sort of policy hierarchy. The names and definitions may vary but generally have 3-5 levels where the top policy are general statements of principle and the lowest level are procedural steps or guidelines that are specific to a set of technologies and serve as a instructional guidance to system administrators.
Example Policy Hierarchy
- Policies – Broad statements of principle, changes infrequently, approved at senior level, applies organization-wide.
- Standards – Focus on requirement and controls, describe how to implement policy, detailed process that requires conformity.
- Procedures – How to comply with a standard, step-by-step process, uses instructions, references automated processes/tools.
- Guidelines – Best practices, encouraged but not required, helpful hints, user guides.
For example, the security policy may state:
“All critical security patches must be installed within 48 hours of notification by the security department”
Policies also describe responsibilities of different stakeholders involved in managing cybersecurity. For example, in a patching policy, roles and responsibilities may be defined for:
- Security vulnerability analysis
- Patching communications and publication
- Patch testing and installation
- Patch level verification/testing
There may also be responsibilities defined for overall process owners, policy owners, and executive management.
I believe that security policies play an important part in the overall enterprise security model. However, in many organizations I have worked with the challenge is not the definition of the policy but its implementation.
For example, it is easy to state in a policy that “all critical patches are implemented within 48 hours of publication” but the challenge is how do you ensure this actually happens in practice?
“Equifax knew its patch management and certificate management processes were deficient and action was needed to make the processes effective. The Apache Struts patching failure illustrates the disconnect between policy development and operational execution. The Patch Management Policy included defined roles for personnel responsible for patching activities, but Equifax failed to designate employees to fill these roles. Equifax knew the patching process operated on “the honor system,” yet failed to establish a mechanism to ensure accountability and compliance” – US House of Representatives Committee on Oversight and Government Reform, “The Equifax Data Breach” Report, December 2018.
Organizations need to ensure that there are robust processes supporting security policy requirements. Key stakeholders should understand their responsibilities and be trained. Automated tools can help ensure consistent process execution and should be used rather than rely on human intervention which has a higher probability of execution failure. Processes should be closed loop with metrics and measures providing feedback on process execution effectiveness. There should be clear escalation paths when patches are not installed on schedule. Management should receive regular metrics and updates to monitor progress.
Security policies play an important role within the security framework but, without supporting processes to ensure the requirements are implemented, they have little value.
Questions for Executives
Questions for your organization to consider:
- Do your enterprise security policies have effective supporting processes that ensure all the policy requirements are met?
- Do all stakeholders and responsible parties know their responsibilities?
- Are all key stakeholders trained in their roles?
- How are you ensuring ongoing compliance with your stated security policies?
This concludes my series on Patch Management.