The IT Law Wiki
Register
No edit summary
Line 24: Line 24:
   
 
[[NIST]] states that organizations should promptly [[install]] newly released [[security]]-relevant [[patch]]es, [[service pack]]s, and [[hot fix]]es and test them for effectiveness and potential side effects on the organization’s [[information system]]s.
 
[[NIST]] states that organizations should promptly [[install]] newly released [[security]]-relevant [[patch]]es, [[service pack]]s, and [[hot fix]]es and test them for effectiveness and potential side effects on the organization’s [[information system]]s.
  +
  +
== References ==
  +
<references />
   
 
== See also ==
 
== See also ==
Line 34: Line 37:
 
* [[GAO]], Information Security: Agencies Face Challenges in Implementing Effective Software Patch Management Processes (GAO-04-816T) (June 2, 2004) ([http://www.gao.gov/new.items/d04816t.pdf full-text]).
 
* [[GAO]], Information Security: Agencies Face Challenges in Implementing Effective Software Patch Management Processes (GAO-04-816T) (June 2, 2004) ([http://www.gao.gov/new.items/d04816t.pdf full-text]).
 
* [[NIST]], Creating a Patch and Vulnerability Management Program: Recommendations of the National Institute of Standards and Technology, [[NIST Special Publication 800-40]], Ver. 2.0 (Aug. 2002).
 
* [[NIST]], Creating a Patch and Vulnerability Management Program: Recommendations of the National Institute of Standards and Technology, [[NIST Special Publication 800-40]], Ver. 2.0 (Aug. 2002).
 
 
[[Category:Technology]]
 
[[Category:Technology]]
 
[[Category:Software]]
 
[[Category:Software]]

Revision as of 07:50, 22 December 2010

Definition

Patch management is

the process of acquiring, testing, and distributing patches to the appropriate administrators and users throughout the organization.[1]

Overview

Patch management is a critical process that can help alleviate many of the challenges of securing computing systems. A component of configuration management, it includes acquiring, testing, applying, and monitoring patches to a computer system. Flaws in software code that could cause a program to malfunction generally result from programming errors that occur during software development. The increasing complexity and size of software programs contribute to the growth in software flaws.

As vulnerabilities in a system are discovered, attackers may attempt to exploit them, possibly causing significant damage. Organizations that actively manage and use software patches can reduce the chances that the vulnerabilities in their IT systems can be exploited; in addition, they can save time and money that might be spent in responding to vulnerability-related incidents.

Malicious acts can range from defacing websites to taking control of entire systems, thereby being able to read, modify, or delete sensitive information; disrupt operations; or launch attacks against other organizations’ systems. After a vulnerability is validated, the software vendor may develop and test a patch or workaround to mitigate the vulnerability. Incident response groups and software vendors issue information updates on the vulnerability and the availability of patches.

Patch management tools automate the otherwise manual process of acquiring, testing, and applying patches to a computer system. These tools can be used to identify missing patches on systems, deploy patches, and generate reports to track the status of a patch across various computers.

Obstacles to implementing effective patch management include:

  1. installing patches quickly while at the same time testing them adequately before installation
  2. patching heterogeneous systems
  3. ensuring that mobile systems receive the latest patches
  4. avoiding unacceptable downtime when patching systems that require a high degree of availability, and
  5. dedicating sufficient resources to patch management.

NIST states that organizations should promptly install newly released security-relevant patches, service packs, and hot fixes and test them for effectiveness and potential side effects on the organization’s information systems.

References

  1. NIST, Computer Security Incident Handling Guide, Glossary, at D-2 (NIST Special Publication 800-61, rev. 1) (Mar. 2008) (full-text).

See also

External links

  • GAO, Information Security: Continued Action Needed to Improve Software Patch Management (GAO-04-706) (June 2, 2004) (full-text).
  • GAO, Information Security: Agencies Face Challenges in Implementing Effective Software Patch Management Processes (GAO-04-816T) (June 2, 2004) (full-text).
  • NIST, Creating a Patch and Vulnerability Management Program: Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-40, Ver. 2.0 (Aug. 2002).