3 Ways to Meet the Patch Management ChallengeAfter 7 Years, NIST Updates Its Patch-Management Guidance
Patch management is a fundamental component of all organizations' information-security regime. Still, the patch-management process to identify, acquire, install and verify security updates for applications and systems isn't consistently applied by many organizations.
To encourage wider use of patch-management processes, the National Institute of Standards and Technology has issued a draft of Special Publication 800-40 Revision 3: Guide to Enterprise Patch Management Technologies. The revised guidance would replace SP 800-40 Revision 2 that NIST issued in 2005.
If done effectively, organizations that minimize the time they spend dealing with patching can use those resources to address other security concerns, write guidance authors Murugiah Souppaya and Karen Scarfone.
"Already, many organizations have largely operationalized their patch management, making it more of a core IT function than a part of security" the authors write. "However, it is still important for all organizations to carefully consider patch management in the context of security because patch management is so important to achieving and maintaining sound security."
The NIST guidance recommends that organizations:
- Deploy enterprise patch management tools using a phased approach that allows process and user communication issues to be addressed with a small group before deploying the patch application universally.
- Reduce the risks associated with enterprise patch management tools through the application of standard security techniques that should be used when deploying any enterprise-wide application. Deploying enterprise patch management tools within an enterprise can create additional security risks for an organization; however, a much greater risk is faced by organizations that do not effectively patch their systems.
- Balance their security needs with their needs for usability and availability. Organizations should make provisions for ensuring that their enterprise patching solution works for mobile hosts and other hosts used on low-bandwidth or metered networks.
NIST is seeking comments from stakeholders on its patch management draft guidance. Comments should be sent by Oct. 5 to firstname.lastname@example.org, with the subject line: SP 800-40 Comments.