Patc h Management

FITS OM Directory Services Administration Contents

PM 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 PM 2 Implementation guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 PM 3 Operations guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 PM 4 Roles and responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 PM 5 Patch Management assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Key
Cross reference: Cross reference

Framework for ICT Technical Support Operations Management

Patc h M a n a g e m e n t
Becta 2006 You may reproduce this material free of charge in any format or medium without specific permission, provided you are not reproducing it for profit, material or financial gain. You must reproduce the material accurately and not use it in a misleading context. If you are republishing the material or issuing it to others, you must acknowledge its source, copyright status and date of publication. Publication date March 2006 Originally published online in February 2006 as part of the Becta website http://www.becta.org.uk/fits While every care has been taken in the compilation of this information to ensure that it is accurate at the time of publication, Becta cannot be held responsible for any loss, damage or inconvenience caused as a result of any error or inaccuracy within these pages. Although all references to external sources (including any sites linked to the Becta site) are checked both at the time of compilation and on a regular basis, Becta does not accept any responsibility for or otherwise endorse any product or information contained in these pages, including any sources.

British Educational Communications and Technology Agency, Millburn Hill Road, Science Park, Coventry CV4 7JJ

Patc h M a n a g e m e n t
PM 1 Overview
PM 1.1

What is Patch Management?

The goal of Patch Management is to keep the components installed on the network (hardware, software and services) up to date with the latest patches and updates. The network components covered in Patch Management may include: Computers Servers Software Peripherals Cabling Routers and switches Services such as messaging, database, MIS and file storage.

PM

1.2

Why have Patch Management?

Patch Management is an important part of keeping the components of the network available to the end user. Without regular patching, the ICT infrastructure could fall foul of problems which are fixed by updating regularly the software, firmware and drivers. Poor patching can also allow viruses and spyware to infect the network. Patch Management should be a centralised, managed service that guarantees protection, rather than a user-installed, piecemeal approach that leaves the state of the network unknown. The internet offers schools the opportunity to enhance learning and teaching via new ICT services such as email, video conferencing, instant messaging and a huge library of information. However, the downside of internet access is that the schools network is vulnerable to threats of disruption to these services, which may also compromise the reliability, availability and security of the entire network and ICT services. Many of the threats come from malware, which is a term used to describe malicious software such as viruses, Trojans and now spyware. Protecting the network with security measures provides one layer of protection, while educating your users about the threats of spyware and malware provides another layer. Users need to know what to do when they receive an email from an unknown source: whether just to delete it, report it to technical support or open it. Users also need to know how to deal with browser plug-ins or instructions from browsers to click here to install updates, as these could easily be spyware attempts to infect that computer. It is possible to counter threats like these with a combination of software and user education. User education needs only to inform users about potential threats and how to deal with them; it does not need to go into detail. As a minimum, users need to know how to inform technical support if they suspect malware activity, or ask if they are unsure about any email or browser activity that is unfamiliar to them. This education needs to be frequent enough to keep it in the minds of the users perhaps once a month

Becta 2006

FITS OM Patch Management

in a newsletter or bulletin. To enforce safe practice by users, the school can put in place an acceptable use policy which clarifies what users may and may not do.

PM

1.3

Who uses Patch Management?

Technical support staff use Patch Management every day as part of their regular maintenance schedule to ensure that the network components are up to date. End users may also be allocated some Patch Management tasks such as keeping their laptop updated with the latest antivirus software.

PM

1.4

How Patch Management works

Patch Management uses information from the CMDB (configuration management database) and a network topology (map) managed by the FITS Configuration Management process to provide a clear picture of the components that make up the network and how these are configured. Patch Management focuses on maintaining the availability and security of the technology which supports the ICT services by updating the following in a planned way: Software designed to protect the network against threats such as viruses, Trojans, worms and spyware Unpatched software and drivers.

For Patch Management to be effective, the patch administrator (PM 4) needs to have access to information about new patch releases, antivirus and spyware updates, driver updates and so on. You can make a list or spreadsheet of manufacturers websites that hold the patches and updates in the configuration management database to give all technical support staff access to this important information. The patch administrator can create the list and keep it up to date by regularly visiting manufacturer and supplier websites, or by subscribing to mailing lists. Some websites are now beginning to add RSS (really simple syndication) feeds to their sites, which allows the patch administrator to take the headlines from the site and list them all together on one page. The patch administrator can see at a glance the changes that are relevant and then construct a custom page with information about driver updates from multiple suppliers. It is recommended that the patch administrator allocates time for keeping up to date with the latest information about updates for all of the components in the network. Patch Management terms Patch or fix Driver Service release or service pack Update A release of software that includes bug fixes or performance-enhancing changes Software required by the operating system to make a piece of hardware function A release of software that bundles together several patches and/or updates to provide a clear benchmark or level of release (eg This software has Service Release 1 installed.) A release of software that adds new functionality to an earlier version Software that has a numeric or named attribute denoting its maturity or age (eg Are you on version 1 or 2?) Higher value increments indicate a more mature release, which is likely to have fewer bugs and to run better than earlier builds.

Version or build

Becta 2006

FITS OM Patch Management

PM

1.5

What does Patch Management cost?

The cost of Patch Management has three aspects: expenditure, people and time.

PM

1.5.1

Expenditure
Patch Management may require subscriptions to vendors of antivirus and antispyware software. As spyware is a relatively new threat to school networks, we have included some additional information on this in Appendix A. Also some hardware manufacturers require you to pay for switch, BIOS and other equipment updates. Once you have bought a product, you normally receive the updates, service packs and patches for free. However, if a new version comes out and you want to move onto that, you usually have to buy the whole product or upgrade to it, for which you have to pay. Manufacturers usually provide hardware drivers at no cost as they are of no value without the purchased hardware. However, if you do not have a valid licence code or serial number for the hardware item, you may not be allowed to download the latest driver free of charge.

PM

1.5.2

People
In a complex network with a high number of components, Patch Management may require a full-time member of staff. However, most schools will allocate Patch Management roles to a technician or the network manager. The patch administrator is responsible for the keeping the network components up to date, but may delegate tasks to others such as technicians, ICT staff or users.

PM

1.5.3

Time
It takes time to keep up to date with manufacturer changes and releases to software and hardware. It also takes time to plan and perform updates and patches. When considering the resources required to maintain the network, bear in mind that the more versions of operating systems there are in your school, the more patches and releases you will have to apply, which of course takes more time. This is why we recommend that you limit the number of different types of hardware and operating systems that you buy.

PM 2 Implementation guide
PM 2.1

Define your Patch Management policy

You may want to include the following in your Patch Management policy. A list of computers, servers and peripherals on the network covered under the policy (this information should be available in the configuration management database) Allocation of roles and responsibilities for Patch Management activities Patch Management schedules

1 2 3

Becta 2006

FITS OM Patch Management

A list of which patches and updates will be carried out using the Change and Release Management processes and which can be done without them For example updating antivirus definitions is unlikely to require Change Management and Release Management, as there is only a low chance of failure and impact on the users, but upgrades to operating systems should, as these are more prone to failure and the impact of failure on the users could be high. If you decide to carry out a patch or update without Change Management and Release Management, you should still log it, as a record of the information could help with future incident or problem diagnosis.

5
PM 2.2

Definition of which email attachments and internet downloads are safe to open and how this will be communicated to users.

Prepare to implement
Good preparation can make the difference between a successful implementation of Patch Management and an unsuccessful one. The first step is to identify the participants and assign roles and responsibilities. We recommend that for the initial implementation you involve as few people as possible so that the tasks can become familiar with minimum impact on the day-to-day workload of the school. The people you select to fulfil the Patch Management roles will depend on how you currently provide technical support and who is involved already. After you have assigned roles and responsibilities, it is important to ensure that those participating in the implementation and subsequent operation of the function understand what is required of them. Use the FITS OM website as training material. A start date is important for any implementation. Choose a date that you can achieve, bearing in mind that you will need to have an up-to-date list of the network components before you start. If you do not have this, you will have to allow time to carry out a full audit or implement FITS Configuration Management. Communication must take place within the implementation team to agree plans, schedule dates and so on, but it is also important to communicate externally and inform the user community of the new function. It is a good idea to send out a regular bulletin or email to keep your users informed of changes that have taken place and those that are about to happen. This keeps everyone up to date and helps to mitigate potential problems. Before you can go ahead with the implementation, you will need all the materials and tools required for the function see below for guidelines on maintaining a full up-to-date inventory and using automating tools.

Roles and responsibilities

Training

Start date

Communications

Materials

PM

2.2.1

Full up-to-date inventory

Your configuration management database will contain information about each hardware and software component, known in FITS as a configuration item (CI), installed on the network. For Patch Management it is recommended that you also keep the following attribute information for each CI.

Becta 2006

FITS OM Patch Management

Type Computer Operating system Switch Antivirus Antispyware Printer Scanner PM 2.2.2

Updates BIOS, firmware, system board drivers, video driver, network driver Service packs, patches, feature packs Firmware Data file/Virus definition update Data file/Virus definition update Driver, firmware Driver, firmware

Automating tools
Installing the latest drivers, patches and updates on every computer in school can obviously take a lot of time and may seem like an endless task. However, you can speed up the process using software deployment tools. Tools such as disk imaging or patch management software, along with antivirus administration console software, can help make the task less burdensome. Disk imaging is one method of bringing several computers up to date reasonably quickly. Using Release Management you should be able to document and prepare an image in a consistent way, and then use the Change Management process to deploy the image.

PM

2.3

Assigning roles and responsibilities

You will need to assign the following roles before implementing the policies: Suggested representative Person responsible for implementing and running the Patch Management strategies, eg: Network manager Technician Supplier. Person responsible for managing the assessment and approval of major ICT infrastructure changes or the introduction of new hardware or software, eg: Network manager Technician Supplier. Person responsible for managing the process of planning, building, testing and deploying new hardware or software, eg: Network manager Technician Supplier. Comments Ownership of all updates including: Operating system and application patches for computers and servers Antivirus and antispyware updates Firmware updates for hardware Printer driver updates. If it is decided that the new patch or update requires Change Management, completing a request for change form (see ChM Appendix A) will be necessary.

Role

Patch administrator (see PM 4.1)

Change manager (see ChM 5.6)

Release manager (see RM 5.1)

If it is decided that the new patch or update requires Release Management, completing a build and install form (see RM Appendices D and F) will be necessary.

Becta 2006

FITS OM Patch Management

PM

2.4

Implementing Patch Management

The Patch Management cycle

Audit current state

New patch available Acquire patch

Patch Management cycle

Review deployment Test patch

Deploy patch

We discuss each step of the cycle below. PM 2.4.1

Audit current state

Before you can maintain your network, you need to understand its current state. This involves identifying the hardware, software, operating systems applications and their patch levels. Other hardware and peripherals such as printers and switches have firmware that you should also identify. This may seem a big job to start with if you do not have this information to hand in a configuration management database, or on lists or spreadsheets. However, the information is vital for successful Patch Management implementation. There are tools to help you automate and speed up this process, obtainable from your operating system manufacturer or from third-party suppliers, which you may like to consider. Once you know the current state of your network you can begin to plan to bring it up to date by installing the latest drivers, patches, firmware and definitions. The aim of bringing everything up to date is to create a baseline from which you can start regular patch maintenance, as the process is far easier if everything is at the same level to begin with. When you carry out this audit you may find that there are several versions of a product in use. It is easier to manage a smaller number of versions or ideally only one version: the most recent. Managing several versions creates confusion and is more time consuming to support. If you find yourself in this situation, consider upgrading the older products to the latest version, which will probably involve a financial outlay but is worth it in the long run.

Becta 2006

FITS OM Patch Management

PM

2.4.2

New patch available

News that a new patch is available may come from a variety of sources such as manufacturers websites, suppliers bulletins or technical forums. The patch will usually have some release information explaining what the patch fixes and who should use it. Read the information carefully and ensure that the patch applies to the components and overall network structure of your school. The patch may not be applicable to every component on the network, in which case you need to identify which components require the patch. The patch may also have an importance rating. If a patch is described as critical, it is important to install it as soon as your Change Management process allows because the reliability and security of your network may be at risk. If the patch is not critical, read the information released with it to understand when it should be implemented. If yours is a large network with many hardware components and software applications, you may receive new updates and patches every day. To release each one as it becomes available is time consuming and potentially disruptive to users of the ICT services. In this case you can collect a number of updates and patches into one release as long as you test the release before deployment. It is worth noting that in industry very few organisations with critical services will ever be the first to implement new patches. They prefer to live with known risks rather than implement new patches with unknown risks.

PM

2.4.3

Acquire patch
The next step is to acquire the patch by downloading it from the internet, getting it sent by post or having it emailed to you. Some of the new service packs are hundreds of megabytes in size, in which case requesting those on CD will save you bandwidth and download time.

PM

2.4.4

Test patch
Test the patch on a computer or other device reserved for testing (or a limited number of live computers). The testing itself depends on what the patch claims to fix. You may be able to ascertain that the bug has been fixed, although most patches nowadays are for obscure security holes. Once you are satisfied that the computer or other device still works properly and that the patch has not created other faults, continue to the next step.

PM

2.4.5

Deploy patch
This step may involve imaging a computer and deploying the new image, or it may involve visiting every computer affected by the patch. Again, this depends on the tools you have available and the patch management strategy you employ. A point to note is that in industry, companies implement change freezes they never do changes over the pre-Christmas period, for example. In the case of schools, it is probably a good idea to have a change freeze during the first day of term and on exam days. Plan any major changes for a time when the users affected are not in school, so that there is enough time to roll back if anything should go wrong.

PM

2.4.6

Review deployment
Once you have deployed the patch, check that none of the computers with the new patch is adversely affected. Also, you need to check that the patch is installed successfully. You cannot assume that the patch has been installed on every computer, as other factors such as lack of disk space, computer shutdown or network problems may have affected the deployment.

Becta 2006

FITS OM Patch Management

Once you have ascertained that the patch has been deployed successfully, update the configuration management database (CMDB) and/or the request for change document associated with this change. Report any incident or problem to the service desk for resolution using Incident Management or Problem Management.

PM

2.5

Pilot
To pilot your proposed Patch Management function, it is good practice to trial the changes first on a small group of computers. This enables you to experiment with the way that works best for you and your users. In a perfect world, you would have a test lab where you could experiment with different scenarios that reflected your live network. However, most schools do not have this facility, so it is best to test the implementation on a limited number of computers before going live with this function on the entire network.

PM

2.6

Review the implementation

Review your implementation by asking the following questions. Question Points to think about Consider upgrading older versions to the most recent version.

Do we have different versions of the same software/hardware? How long did it take to obtain the latest versions for each item? How easy was it to update each group of items? Did the changes made adversely affect any users? If so, is there anything you could do to mitigate this in the future? Do people understand their roles and responsibilities? Was each step of the implementation covered?

Include this time when estimating the installation time in future.

If necessary, consider changing the build procedure or creating additional build procedures to cater for this. Consider how you informed users and the timescales involved. Also consider any training implications of the changes made.

Inform staff of their involvement in this process and what is expected of them. If not, go back and perform this section again.

Becta 2006

FITS OM Patch Management

PM 3 Operations guide
PM 3.1

What needs to be done?

Check hardware items for firmware updates. Check software items for patches, updates, service packs and drivers. Check antivirus programs for updates to virus definition files. Check antispyware programs for updates to definition files. Search the internet regularly to find out about new threats, patches or releases. Schools do not always receive this information automatically.

PM

3.2

When does it need to be done?

For most technical support teams, patch releases are becoming a normal part of life. The frequency of releases is also becoming more regular and less erratic, which makes scheduling their installation easier. In general, software providers supply patches once a month, whereas firmware updates tend to be yearly or six-monthly. Below is a list of network components that require patch management. Computers Apple computers Servers Switches, hubs and routers

This list is not comprehensive, so you may well have other items to which you will need to apply patch management. Use the information in your CMDB to create a list of your network components that require patch management. PM 3.2.1

Computers
As soon as you take a new computer out of its box, it is already out of date! The computer industry moves very fast and within a few weeks of installation, unless you keep it up to date with critical patches, your computer may be in danger of being hacked or damaged, even with the protection of a firewall and antivirus software. To prevent this from causing problems, follow a patch maintenance schedule.
Example schedule for computers

Weekly Monthly

Check for new software patches. Check for the latest antivirus definitions. Check that spyware definitions are up to date. Check for news about new threats, new patches and new releases. Check that drivers (for example video and network) are up to date. Check antivirus engine updates. Check for new printer drivers. Check BIOS firmware.

Six monthly

Becta 2006

FITS OM Patch Management

PM

3.2.2

Apple computers
Apple Mac workstations differ from other computers in that they can only run the Apple Mac operating system, whereas most other computers are able to run several operating systems. This guide applies to Mac OS X or later, since Apple no longer supports Mac OS 9 and earlier versions. Because of this difference, Apple machines have a more clearly defined schedule that you should follow.
Example schedule for Apple computers

Weekly

Check for software updates. Check antivirus definitions. Check for third-party software updates. Check antivirus engine updates. Check for new printer drivers. Check for new operating system version.

Monthly Six monthly Annually

PM

3.2.3

Servers
Servers require more attention than personal computers, as servers are more critical. Do not make major changes to servers without going through the Change Management process. Ideally, this even applies to antivirus updates, but it is particularly vital for firmware or software patches. Using Change Management will prevent you from making changes without planning and considering all the implications of that change.
Example schedule for servers

Weekly Monthly

Check for new software patches. Check for the latest antivirus definitions. Check for new spyware definitions. Check for new drivers (for example video and network). Check antivirus engine updates. Check for new printer drivers. Check BIOS firmware.

Six monthly

PM

3.2.4

Switches, hubs and routers

Like computers, switches, hubs and routers have software that you may need to update. This tends be in the form of firmware updates. Although manufacturers test firmware thoroughly before releasing it, some bugs or performance loss is still possible in the final release. It is important not to forget firmware updates, since to do so may affect the reliability and security of your school network. Before making changes to switches, hubs or routers, make a backup of the configuration! Some firmware updates can wipe the memory and result in lost configuration. You should check for new updates for switch, hub and router firmware annually.

Becta 2006

FITS OM Patch Management

10

PM

3.3

Who does it?

Technical support staff or third-party suppliers perform most of the activities in Patch Management. However, users can do some of the more routine updates.

PM

3.4

How is it measured?
There are several ways of measuring Patch Management: The amount of activity (number of patches and updates installed) the process produces The number of hours per week spent on the activity The number of requests for change the process generates Percentage success rate of applied patches Percentage of patches/updates that fail testing Number of patches applied compared to patches issued.

It is worth noting the impact of not implementing Patch Management. If you do not use Patch Management, computers may become infected with viruses that spread over the network and seriously affect the reliability and security of all the school's ICT services.

PM 4 Roles and responsibilities

We have defined the principal roles and their associated responsibilities for Patch Management according to best practice. Schools may need to combine some roles, depending on size, organisational structure and any underlying service level agreements existing between technical support and the school.
Role descriptions in the context of the Patch Management function are not job descriptions. Depending on the size and structure of your technical support team, one person may assume more than one role. However, good practice for function management dictates that although different people may be involved in performing activities, there should be only one owner per function. This means that one individual is always accountable for overall function performance and can intervene to make things happen when a function breaks down.

PM

4.1

Patch administrator
The patch administrator is the function owner with full responsibility for ensuring that Patch Management is performed correctly. In a school, it is likely that the patch administrator role will be shared with other FITS OM function and FITS process roles. As Patch Management works closely with FITS OM Security Administration and FITS Change Management and Release Management, you can combine some of the roles. The patch administrator must keep informed about the release of new updates, drivers, patches and firmware. This may take up considerable time unless the task can be automated (for instance, by email notifications from vendors and manufacturers).
Key tasks

Becta 2006

Ensure that all operating systems and software have up-to-date service packs and patches. Keep drivers up to date. Keep firmware on hardware up to date. Keep antivirus and antispyware definitions up to date. Produce Release Management build procedures for major updates to enable other technicians to carry out the updates. Check that installations of patches and updates are successful.
FITS OM Patch Management

11

PM 5 Patch Management assessment

Below is a table that asks basic questions about Patch Management. If you can answer yes to them all, you are doing fine. If you are answering some of the questions with a no or sometimes, then the table recommends some actions for you to take.
Question 1. Have you defined the scope and objectives of the Patch Management function? 2. Have you produced a full hardware and software inventory? Recommended action Define the scope of the Patch Management function. Document all activities and allocate them to the technical support staff. If a full up-to-date CMDB or inventory of hardware and software does not exist, implement Configuration Management or perform a full audit. From the inventory, list the hardware manufacturers and software suppliers, plus each item they produce that you own. Make a note of how to obtain the latest update from each company (eg download or order CD). Make sure that the Release Management DSL is up to date with the latest drivers, firmware and updates. This will make updates easy to find in the future. Using Change Management and Release Management, prepare a schedule of when to install updates and create an associated build procedure for each release of changes. Inform staff about Patch Management, what is expected of them and how they are affected by any activities in this function. Prepare to implement a small-scale pilot before implementing this function throughout the school. Once you have installed some updates, check to see if they were indeed installed correctly. Establish a single point of ownership and accountability for the Patch Management function. You can charge this person with implementing the other recommendations in this report through a programme of continuous improvement. Others involved in the Patch Management function will then know whom to contact if they identify any deficiencies in the function. Give staff access to training material and provide experienced staff to help them learn the process. Run an improvement programme to increase function awareness. Mount an awareness campaign to make everyone aware of the tasks performed by the Patch Management function. Without documentation, the function is open to interpretation and will lack a consistent approach. Document the activities and make this documentation available to all staff performing them. The documentation can be used in training and as a reference point.

3. Have you a list of hardware and software manufacturers and the items they produce that you own? 4. Have you stored the latest copy of hardware and software updates in the definitive software library (DSL)? 5. Do you have a release plan for installing these updates? 6. Do you inform all staff about the Patch Management function and how it affects them? 7. Have you planned a pilot before implementing the function across the school? 8. Do you check whether updates were installed correctly? 9. Does the Patch Management function have an owner responsible for its day-to-day management and ongoing development? 10. Are those performing the Patch Management function aware of how to do so? 11. Are the end users of the Patch Management function aware of it and conforming to it? 12. Have you documented the activities in the Patch Management function?

Becta 2006

FITS OM Patch Management

12

PM Appendices
PM Appendix A

Spyware
What is spyware?

A new type of threat has recently emerged in the form of spyware. Spyware is unlike a virus in that it does not replicate itself to other computers, but it can cause problems with a computers performance and send personal data back to an unknown source without the uses consent. Suppliers may bundle spyware with legitimate commercial software with the intention of collecting information for the supplier to use in further marketing or product improvements. However, any data collected and sent without the users consent or knowledge is considered spying.
What does spyware do?

Spyware can hijack your browser by changing the start page and default search page with its own copy. This can mean that your browser can be further infected with other trojans and viruses or simply annoy you with changes you did not ask for. It is well known that spyware slows computers down by taking up processor time and hard disk space doing whatever it is designed to do. Spyware usually collects and sends back information about the user. This information can include personal details (name, address and so on) plus information about websites visited or, worse, private information such as passwords or credit card information.
What can I do to protect against spyware?

These days most antivirus companies either sell antispyware software as a separate product or build it into their main antivirus product. There are also many good quality free antispyware programs available. However, these tend to be designed for manual scanning and removal, and may not provide real-time protection.

You can download the templates from the FITS OM website http://becta.org.uk/fits_om/downloads.cfm

Becta 2006

FITS OM Patch Management

13

Appendix B

Useful links
Network administration advice and anecdotes Independent patch management mailing list Antivirus products Antivirus products Antivirus products Antivirus products Antivirus products Antivirus products Antivirus products Antivirus products

http://www.thenetworkadministrator.com http://www.patchmanagement.org http://www.mcafee.com http://www.symantec.com http://www.trend.com http://www.microsoft.com http://www.sophos.com http://www.grisoft.com http://www.avast.com http://www.ca.com

You can download the templates from the FITS OM website http://becta.org.uk/fits_om/downloads.cfm

Becta 2006

FITS OM Patch Management

14