Welcome » IT Booklets » Development and Acquisition » Maintenance » Patch Management
Software patches are defined in this
document as program modifications involving externally developed
software. Patch management standards should include procedures
(similar to the routine modification standards described above) for
identifying, evaluating, approving, testing, installing, and
Vendors frequently develop and issue patches to correct software
problems, improve performance, and enhance security. Organizations
should have procedures in place to identify available patches and
to acquire them from trusted sources. Procedures for identifying
software vulnerabilities and patch information include subscribing
to patch-alert e-mail lists and monitoring vendor and security
related websites. Management should regularly obtain bulletins
about product enhancements and security issues as well as available
patches and upgrades from its vendors or other trusted information
When an available patch is identified, management should evaluate
the impact of installing the patch by assessing technical,
business, and security implications. If management identifies a
significant patch but decides not to install it, they should
document their reasons for not installing it.
In order to minimize operational disruptions, management should
test all patches prior to implementation. Additionally, management
should appropriately backup files and programs and have established
back-out procedures in place before implementation.
As with all software modifications, appropriate backup and back-out
procedures, post-implementation evaluations, detailed
documentation, and established implementation plans enhance
management's ability to effectively control patch activities.
Note: The installation of software patches may
reset security settings or configuration parameters to default
settings. Management should review all settings and parameters
after patches are applied to ensure the settings conform to
approved policies and procedures.