Overseeing Compliance of Security Operations ◾ 179
© 2011 by Taylor & Francis Group, LLC
Downloading patches from the vendor to a central location saves on bandwidth
that would otherwise be necessary to support downloading from the vendor to each
individual desktop. e central repository may then facilitate the forced installation of
patches throughout the enterprise from within the enterprise. Patch management soft-
ware provides a means to test patches prior to deployment throughout the enterprise.
e patch management software also provides a database of software, current versions,
and patched systems that provides input to overall enterprise situational awareness.
Part of the benet of creating a policy and standards for a common desktop
environment (CDE) is to facilitate the capability to test once, deploy many. If a patch
works well with the CDE, then deploying the patch enterprise-wide should not cre-
ate problems. e CDE is a standard that enumerates permissible software and oper-
ating system settings. Managing PCs enterprise-wide is greatly simplied, though
still far from simple, if you implement and enforce an enterprise CDE standard.
Patch Management, Risk Posture, and Security Posture
e enterprise security posture is the aggregation of all the safeguards and precautions
that mitigate risk. e enterprise risk posture is the formal articulation of an inten-
tionally assumed position on dealing with potential negative impact. Awareness
of a new vulnerability does not change the security posture, i.e., no safeguard or
precaution is any dierent than it was. Likewise, this vulnerability awareness does
not change the risk posture, i.e., the enterprise still has the same stance on risk
that it did before. Risk exposure does not change either, i.e., the enterprise has the
same degree of risk exposure. What does change is the risk awareness, which is
the level of conscious knowledge of potential negative impact. is new awareness
starts a sequence of events that evaluates risk exposure (e.g., yes, this vulnerability
does indeed represent a high degree of risk exposure to the enterprise), evaluates the
risk posture (e.g., yes, we should modify our risk posture to mitigate this risk), and
modies the security posture accordingly (i.e., we will install a patch to eliminate
the vulnerability).
e reason for distinguishing among security posture, risk posture, risk expo-
sure, and risk awareness is to point out nuances of consideration for installing the
patch. Often, installing patches is like squeezing jelly; every time you tighten up
one area of your st, jelly shoots out another. Installing the patch may take care
of the risk you are now aware of, but it may introduce new risk to other parts of
business operations. How do you know if this happens? One method is to set up a
test lab, install the patch on a mirror of the production system, and test the eects
on system and application operations. Another is to install the patch directly on
the production system and be prepared with back-out procedures. Establishing a
test lab requires an investment of time and resources. Using a test lab is the most
prudent approach from a risk management perspective. Installing patches on the
y in production may be necessary to respond to a critical operations need. If this is