Thursday, 16 May 2013

Patch Auditing and Compliance

The number of systems that are connected to any network can be extensive and keeping them secure an on-going task. Whether you network has desktop systems running Windows or Linux with their host of applicationswebemail or database servers - they all get patched.

Patches and security hot-fixes are provided on an on-going and ad-hoc basis by multiple vendors, at different times and for different reasons, it can be a difficult job ensuring everything is secure from the latest security risks.

Given the frequency of patches a Patch Audit needs to be conducted at agreed intervals. This should be in-line with vendor patch cycles and your Patch Management Process, but also conducted when needed in response to unplanned critical patch releases.
The patch audit will help ensure that your network is properly protected and that users of desktop systems are taking up patches and updates as required.

Performing a Patch Audit
As with a Compliance Audit, Patch auditing is usually conducted against a live network, by an auditor with full access to the network so they can acquire correct results. The audit is performed mainly with the use of automated tools, however manual assessment of compliance is always required, to ensure complete and efficient auditing.

A comprehensive Patch Audit Report will be provided that shows whether audit results are as expected. If not, then guidance is given on what needs to be corrected and a follow-up audit performed.

When the audit shows the patch status is as expected, the auditor will provide a clear notification and detail the supporting evidence. This can then be used by you to inform any external party who require you to demonstrate adherence to your Patch Management Process.

Thoughts? Send a message!


Liked this post?