Summary
Twenty pages to tell you what you already know: There is more involved in being the security officer than just clicking Install when new updates are available. You need to not only be savvy about how to update a system, but also when, why, where you need to go for answers, and how you balance functionality with allowing your employees to be productive. There is a fine line.
The main challenge in managing security updates is determining which of the many available updates are appropriate to the needs and vulnerabilities of your enterprise systems and business requirements.
Some updates are critical and require immediate action to protect your environment. For example, the updates that address risks from newly discovered exploitations, viruses, and worms are considered critical updates.
Some updates can be useful, can increase performance or stability, or can make the end-user experience better, but they might not be considered critical to the safety of your enterprise. Other updates might not be necessary to your enterprise and can be ignored.
Some updates could create problems (for example, break other line-of-business applications) for your enterprise if you use them.
To keep your enterprise secure, you must establish processes for the following:
• Receiving information about the latest software updates and vulnerabilities
• Auditing your enterprise for applicable software updates
• Assessing and authorizing available software updates
• Deploying authorized software updates within your enterprise in a timely, accurate, and efficient manner
• Tracking update deployment across your enterprise
To learn how to determine which updates are critical, useful, irrelevant, or harmful to your enterprise, and to create a software update management process for your enterprise, you need to be familiar with the current state of the resources in your enterprise. This includes knowing the following:
• The computers in your enterprise
• Operating systems and versions functioning on the computers
• Software updates in use on your computers (service pack versions, software updates, and other modifications)
• The function each computer performs in your enterprise
• The applications and programs running on each computer
• Ownership and contact information
• The assets present in your environment and their relative value, to determine which areas need the most protection
• Known vulnerabilities and the processes your enterprise has for identifying new vulnerabilities or changes in vulnerability level
• Countermeasures that have been deployed to secure your environment
This information should be updated regularly and should be readily available to those involved in your update management process.