Building a Patch and Vulnerability Management Program

The first step is to put together your team that will be responsible for patching your organization’s systems. Team members should include folks from your security team, system administrators, and relevant business operations personnel. You should also collect the contact information for key system stakeholders in case you need to inform them of patch deployments.

To have an effective patch and vulnerability management program you need to have an accurate inventory of your systems. This includes laptops, servers, printers, scanners, network devices, and any software installed on your systems. How can you patch something if you don’t know that you have it? I would recommend using a dedicated inventory management tool to track your systems instead of excel spreadsheets. Inventory management tools can provide detailed information about most of your systems.

In an ideal world you would patch or remediate every vulnerability as soon as you detect it. In the real world however IT teams can be short of staff and may not be able to patch every vulnerability in a timely manner. This is why you want to prioritize high risk vulnerabilities before addressing lower risk vulnerabilities. Thankfully tools like Nessus categorize vulnerabilities for you, making it easy to determine which ones you should address first.

You need to be tracking the vulnerabilities detected by your vulnerability scanner and the actions you have taken or plan to take to remediate them. You can document these in what is known as a remediation database. You can use an excel sheet to accomplish this.

Before deploying any patches or remediations you need to test them in a test environment. Deploying patches or vulnerability remediations directly to your production environment without any testing may result in unexpected downtime that can impact business operations.

After testing your patches and remediations you need to inform the point of contact and any administrators who manage the system you seek to patch. That way if something goes wrong after the deployment they know what the likely cause was.

After deploying patches and remediations you need to verify that they were applied. This can be accomplished by rescanning your systems with your vulnerability scanner.

With the information I provided in this post you should be able to put together a nice patch management program to help keep the bad guys.