No piece of technology is perfect and companies often release products to their customers with bugs or incomplete functionality.  That’s why patches exist, to add missing functionality or address bugs that existed when the product was shipped.  But IT departments are often hesitant to apply patches to their critical systems for fear of unexpected interactions with critical software resulting in unplanned downtime or reduced functionality.

So, how quickly should IT departments apply patches to their environments?

A recent edition of Protiviti’s Board Perspectives on Risk Management newsletter explored this very topic.  The answer: it depends.  Systems are complex and it can take time to validate that patches won’t cause issues with existing tools.  But the typical gold standard is 30 days from release to implementation.  The greater the duration between the release of the patch (or identification of a vulnerability) the longer the organization’s exposure.  Given that, even 30 days may be too long to adequately protect the organization’s assets.  Boards and Executive Management should therefore evaluate their risk tolerance and redirect IT resources as appropriate to bring the patch management process into alignment with their expectations.

[dvbox title=”Questions your board may ask:” style=”light”]

  • Do directors understand the company’s vulnerability management? For example, is the board satisfied with the elapsed time:
    • For patching identified system vulnerabilities?
    • Between the initiation of an attack and its ultimate discovery?
    • Between the discovery of a security breach and the initiation of the response plan to reduce its proliferation and impact?
    • Between the discovery of a significant breach and the undertaking of the required disclosures to the public, regulators and law enforcement in accordance with applicable laws and regulations?
  • Does the board include cyber as a core organizational risk requiring appropriate updates in board meetings? Is the board satisfied that the company’s strategies for reducing the risk of security incidents to an acceptable level are proportionate and targeted to the most important information assets and business outcomes? Does the board receive key metrics or reporting that present the current state of the security program in an objective manner?
  • Does the board focus on the adequacy of the company’s playbook outlining the actions in place to respond, recover and resume normal business operations after an incident has occurred, including responses to customers and employees to minimize reputation damage that could occur in a breach’s wake?

[/dvbox]

 

Image Credit: ulleo / Pixabay

Board PerspectivesPatch ManagementProtiviti