1

Enforcing Enforcing Compliance: A Compliance: A

Patch Management Patch Management Strategy That Strategy That

WorksWorks

2

Copyright NoticesCopyright Notices

ITIL® is a registered trademark of the ITIL® is a registered trademark of the UK Office of Government Commerce.UK Office of Government Commerce.

Visible Ops is the trademark of the IT Visible Ops is the trademark of the IT Process Institute (Process Institute (http://http://www.itpi.orgwww.itpi.org) )

All other trademarks and company All other trademarks and company names are the property of their names are the property of their respective owners.respective owners.

This webinar is the property of This webinar is the property of Spafford Global Consulting, Inc.Spafford Global Consulting, Inc.

3

OverviewOverview

Patching ChallengesPatching Challenges Policies and ProceduresPolicies and Procedures Change ManagementChange Management Release ManagementRelease Management MetricsMetrics Questions and AnswersQuestions and Answers

4

QuestionQuestion

Do you have a Change Management Do you have a Change Management process?process? 1. Yes1. Yes 2. We are in the process of developing 2. We are in the process of developing

oneone 3. No3. No

5

QuestionQuestion

How familiar are you with the How familiar are you with the Information Technology Information Technology Infrastructure Library (ITIL) as it Infrastructure Library (ITIL) as it pertains to Service Support?pertains to Service Support? 1. Not familiar1. Not familiar 2. Have heard of it2. Have heard of it 3. Somewhat familiar3. Somewhat familiar 4. Familiar4. Familiar 5. Very familiar, refer to it routinely.5. Very familiar, refer to it routinely.

6

Patching ChallengesPatching Challenges

Patches are time consuming to assess Patches are time consuming to assess and apply.and apply.

Patches are released constantly.Patches are released constantly. They fail during installation.They fail during installation. They cause services to fail.They cause services to fail. One patch can undo another patch.One patch can undo another patch. They can introduce errors.They can introduce errors. Developing policies and procedures that Developing policies and procedures that

work.work.

7

Policies and ProceduresPolicies and Procedures We want to use standards to reduce variationWe want to use standards to reduce variation Standardization can help improve security Standardization can help improve security

and compliance postures while managing and compliance postures while managing costscosts

Policies and procedures need to be realistic Policies and procedures need to be realistic and add valueand add value

Shelfware achieves nothing – the policies and Shelfware achieves nothing – the policies and procedures must be feasible and make a procedures must be feasible and make a positive difference (WIIFM)positive difference (WIIFM)

Getting started is the hardest part. Use your Getting started is the hardest part. Use your best and brightest people to develop policies best and brightest people to develop policies and procedures.and procedures.

So … where do we start?So … where do we start?

8

Don’t rush to apply Don’t rush to apply patches patches

immediately! immediately! Uncontrolled Uncontrolled

change can do change can do more harm than more harm than

good!good!Many high-performing IT Many high-performing IT

organizations do not rush their organizations do not rush their patches and, in fact, patch less patches and, in fact, patch less

frequently.frequently.Moreover, Moreover, they do they do notnot patch patch

production systems directly! They do production systems directly! They do so in pre-production.so in pre-production.

9

Defense in DepthDefense in Depth Think of the rings of walls in a Think of the rings of walls in a

castle. More walls equate to an castle. More walls equate to an overall better defensive posture.overall better defensive posture.

Processes, systems and people Processes, systems and people always have variation – go for always have variation – go for layers.layers.

The idea is to layer controls in a The idea is to layer controls in a cost effective fashion.cost effective fashion.

If the first control fails, then If the first control fails, then there is a second, etc.there is a second, etc.

Compensating ControlsCompensating Controls Firewall – perimeter and Firewall – perimeter and

segmentssegments Network SegmentationNetwork Segmentation Intrusion Detection SystemsIntrusion Detection Systems Log Monitoring / Alerting / Log Monitoring / Alerting /

Security Event Management Security Event Management (SEM)(SEM)

Antivirus/Anti-malware on clients, Antivirus/Anti-malware on clients, hosts, gatewayshosts, gateways

Integrity Management SystemsIntegrity Management Systems

Control 1

Control 2

Control 3

10

What are we What are we really talking really talking

about?about?Change and Release Change and Release

Management with support Management with support from Configuration from Configuration

ManagementManagement

11

ITIL DefinitionsITIL Definitions Change Management Change Management

Is the set of standardized processes and tools Is the set of standardized processes and tools used to handle change requests in order to used to handle change requests in order to support the business while managing risks.support the business while managing risks.

Release ManagementRelease ManagementUses formal controls and processes to Uses formal controls and processes to safeguard the production environment. safeguard the production environment.

Configuration ManagementConfiguration ManagementFocuses on tracking and documenting Focuses on tracking and documenting configurations and then providing this configurations and then providing this information to other areas including Change information to other areas including Change and Release Management.and Release Management.

12

Human Error is Huge!Human Error is Huge!

May 17, 2005 – Third annual CompTIA May 17, 2005 – Third annual CompTIA study shows human error still counts for study shows human error still counts for the majority of security incidents – 79.3%. the majority of security incidents – 79.3%. That number is virtually the same as That number is virtually the same as 2004.2004.-- Comp TIA, 2005 -- Comp TIA, 2005

http://www.comptia.org/about/pressroom/get_pr.aspx?prid=611http://www.comptia.org/about/pressroom/get_pr.aspx?prid=611

Human error accounts for 80% of Human error accounts for 80% of network availability issues. network availability issues. -- Stephen Elliott, -- Stephen Elliott, Senior Analyst, Network and Service Management, IDC 2004 Senior Analyst, Network and Service Management, IDC 2004

13

Change Change Management is the Management is the organization’s last organization’s last

firewall against firewall against human error and human error and malicious activity malicious activity before production.before production.

14

Phase I: Ungoverned Phase I: Ungoverned ChangeChange

time

Change rate

Failed changes and/orNumber of

unauthorized changes

Unplanned work(Unplanned work >

100%)

Source: IT Process Institute, 2005http://www.itpi.org

15

Phase I: Stabilized Phase I: Stabilized PatientPatient

time

Change rate

Failed changes orNum of unauth chgs

Unplanned work

Source: IT Process Institute, 2005http://www.itpi.org

16

What does this mean?What does this mean? If we can reduce the errors going into If we can reduce the errors going into

production, then unplanned work can be production, then unplanned work can be reduced.reduced.

If unplanned work is reduced, then projects If unplanned work is reduced, then projects can get done.can get done.

If projects can get done, then, hopefully, IT is If projects can get done, then, hopefully, IT is enabling the functional areas to move enabling the functional areas to move towards their objectives and the organization towards their objectives and the organization towards its goal.towards its goal.

By patching, or introducing change, IT should By patching, or introducing change, IT should be adding value by enabling the business or be adding value by enabling the business or assisting in the mitigation of risks. With assisting in the mitigation of risks. With uncontrolled change, IT adds risks.uncontrolled change, IT adds risks.

17

Process ReferencesProcess References

For a definitive reference, see ITIL’s For a definitive reference, see ITIL’s Service Support VolumeService Support Volumehttp://www.ogc.gov.uk/index.asp?id=2261http://www.ogc.gov.uk/index.asp?id=2261

Microsoft’s Operations FrameworkMicrosoft’s Operations Frameworkhttp://www.microsoft.com/technet/itsolutions/cits/mo/smfhttp://www.microsoft.com/technet/itsolutions/cits/mo/smf

British Educational Communications and British Educational Communications and Technology Agency (BECTA)Technology Agency (BECTA)http://www.becta.org.uk/tsashttp://www.becta.org.uk/tsas

IT Process Institute’s Visible Ops IT Process Institute’s Visible Ops MethodologyMethodologyhttp://www.itpi.orghttp://www.itpi.org

18

A Basic Change A Basic Change Management ProcessManagement Process

Identify a potential changeIdentify a potential change Create Request For Change (RFC)Create Request For Change (RFC) Seek Approval to ProceedSeek Approval to Proceed Plan the ChangePlan the Change

Plan & PreparePlan & Prepare TestTest Develop Rollback PlanDevelop Rollback Plan

Peer ReviewPeer Review Seek Approval to ImplementSeek Approval to Implement DeployDeploy ReviewReview

19

What is Release What is Release Management?Management?

““The focus of Release Management is the The focus of Release Management is the protection of the live environment and its protection of the live environment and its services through the use of formal procedures services through the use of formal procedures and checks.” – ITIL Service Supportand checks.” – ITIL Service Support

Release management is often squeezed Release management is often squeezed between the development environment and between the development environment and production. production.

ProductionEnvironment

Test Environment

Development Environment

Release Management

20

Release Management Release Management ProcessesProcesses

To plan and oversee rolloutsTo plan and oversee rollouts Acceptance TestingAcceptance Testing Design and implement procedures for the Design and implement procedures for the

distribution and installation of changes.distribution and installation of changes. Automation can reduce variation and speed deployment Automation can reduce variation and speed deployment

in known environments. in known environments. This means that change, release and configuration This means that change, release and configuration

management must work together.management must work together. To ensure only authorized and tested “releases” To ensure only authorized and tested “releases”

are deployed.are deployed. Ensures that all master copies of software is Ensures that all master copies of software is

stored in the Definitive Software Library (DSL)stored in the Definitive Software Library (DSL) Ensures that the Configuration Management Ensures that the Configuration Management

Database (CMDB) appropriately reflects new Database (CMDB) appropriately reflects new Releases.Releases.

21

A Sample ProcessA Sample Process Development/Engineering/Security Development/Engineering/Security

identifies potential patches.identifies potential patches. Change Management reviews the RFCs Change Management reviews the RFCs

for the patches and, if approved, do the for the patches and, if approved, do the planning, testing, etc.planning, testing, etc.

Approved patches/changes are reviewed Approved patches/changes are reviewed and consolidated into a given release.and consolidated into a given release.

Integration testing is performed and Integration testing is performed and requires effective Configuration requires effective Configuration Management.Management.

Once tested and accepted, approved Once tested and accepted, approved releases are stored in the Definitive releases are stored in the Definitive Software Library (DSL).Software Library (DSL).

Releases and schedules are Releases and schedules are communicated.communicated.

Operations then reviews the Release, Operations then reviews the Release, formally accepts and deploys the Release formally accepts and deploys the Release from the DSL.from the DSL.

The more automated the deployment, the The more automated the deployment, the better as it reduces the possibility of better as it reduces the possibility of human error but necessitates solid human error but necessitates solid Change and Configuration Management.Change and Configuration Management.

Patch 1 Patch 2 Patch 3

Release Planning

Integration Testing

AuthorizedRelease

ChangeManagement

22

Metrics to considerMetrics to consider

Total Number of ChangesTotal Number of Changes Total Number of Emergency ChangesTotal Number of Emergency Changes Total Number of Service Affecting Total Number of Service Affecting

OutagesOutages % of Successful Changes (Meaning % of Successful Changes (Meaning

they installed according to plan)they installed according to plan) Mean Time To RepairMean Time To Repair AvailabilityAvailability Unplanned workUnplanned work

23

In SummaryIn Summary

Patches are changes and must follow Patches are changes and must follow the organization’s Change and the organization’s Change and Release Management processes.Release Management processes.

The goal is to manage risks and add The goal is to manage risks and add value – not just to patch for the sake value – not just to patch for the sake of patching.of patching.

24

Thank you!Thank you!

George SpaffordGeorge Spaffordgeorge@spaffordconsulting.comgeorge@spaffordconsulting.com

http://www.spaffordconsulting.comhttp://www.spaffordconsulting.com Daily News Archive Daily News Archive

http://www.spaffordconsulting.com/dailynews.hhttp://www.spaffordconsulting.com/dailynews.htmltml