Clicky

What should a corporate patch management review from an external IT audit include? If you have ever scoped an external tender for a 3rd party to audit your PM processes and strategy – what did you state they look at? Aside from checking for missing patches – is there perhaps a top 10 checks to do? It can’t be just as simple as here is your missing patches – the end, there must be more checks than that?

Also where would be the most logical place to start (i.e. higher and medium risk), and what lower risk patches could be discarded from such a review?

asked 11/27/2011 10:00

pma111's gravatar image

pma111 ♦♦


17 Answers:
Installed and not installed patches..(critical and high risk patches are always the first place to start)......Service packs for Operating systems and office products.....Software that should not be installed....software that should be installed ... Virus clients Up to date!....Virus clients scanning systems and reporting back to the server correctly! ....How many machines have received virus/malware.....email volume....Firewalls installed? Open ports?
Any DLP (Data Leak Protection) managment? Are thumb drives allowed, Are CD/DVD burners allowed?
link

answered

CanusRufus's gravatar image

CanusRufus

Thanks

>>Any DLP (Data Leak Protection) managment? Are thumb drives allowed, Are CD/DVD burners allowed?

Would that fall into patch management review, or just general vuln assessment?

As for "where to start", I was also getting at perhaps which aprt of the infrastructure to start with
link

answered 2011-11-28 at 06:13:46

pma111's gravatar image

pma111

>>Firewalls installed? Open ports?


Again, is this patch management or in the remit of a PM audit review?
link

answered 2011-11-28 at 06:29:10

pma111's gravatar image

pma111

My apologies. Yes that is more of an overall assortment for review. Where to start on an audit depends on the agency conducting the audit.

For patch management it's you are patched or you're not. It all depends if the audit is looking for just Microsoft patches and level of severity of them or if they are looking for app patch management as well. Correct versions of Adobe reader, flash players, zip software etc. Those can be considered not patched as well if the update to the software is not installed.
Ex: Adobe reader should be at 9.4.6 at this time with the updates that they've released but does not have to be at version 10 (X) because it's considered a different Version of the software...
...
link

answered 2011-11-28 at 06:35:47

CanusRufus's gravatar image

CanusRufus

So if a 3rd party was bought in to do a patch management review, all they'd do is report on unpacthed servers/applications? Thats all they'd check and report on?
link

answered 2011-11-28 at 06:50:00

pma111's gravatar image

pma111

> So if a 3rd party was bought in to do a patch management review, all they'd do is report on unpacthed servers/applications? Thats all they'd check and report on?

See the blue box on page 3 from Patch-Management-1.pdf

This is what I see as the backbone of an audit.
link

answered 2011-11-28 at 07:04:08

Tolomir's gravatar image

Tolomir

Spot on Tolomir exactly what I was after
link

answered 2011-11-28 at 07:06:47

pma111's gravatar image

pma111

Ok, I admit I'm being a little vauge here. take a look at this resource and let me know if it helps any....

http://www.rfgonline.com/reprints/ibm/091703nt.html
link

answered 2011-11-28 at 07:09:46

CanusRufus's gravatar image

CanusRufus

Your input on higher risk systems/servers and their impact on patch priority in terms of infrastructure /network design also welcome
link

answered 2011-11-28 at 07:10:02

pma111's gravatar image

pma111

Ok,

you need personnel, at least a support contract for  bought software.
you need a test setup to check if a patch is working / helping properly.

You need access to security lists that post vulnerabilities, now the support contract comes in place. If the is a software flaw you need to get it fixed.
So basically you have to calculate the costs personnel knowledge and response time. This goes into financial management.
link

answered 2011-11-28 at 07:11:50

Tolomir's gravatar image

Tolomir

Thinking in terms of likelehood of an exploit - would certain systems and their location in the network design, take prescedence in terms of "higher risk" missing patches? I.e. web servers more of a risk than file servers of which no internet browsing is permitted. Have you ever conducted a risk assessment for priority or higher risk systems and there patch application (time) requirements?
link

answered 2011-11-28 at 07:25:18

pma111's gravatar image

pma111

no, sorry. I don't work in this industry. We got many but just servers with "normal status" regarding: availability, integrity, confidentiality.

I can give you this link though:

https://www.bsi.bund.de/ContentBSI/grundschutz/intl/intl.html

BSI-Standard 100-1: Information Security Management Systems (ISMS) (pdf, 1,11 MB)
BSI Standard 100-2 IT-Grundschutz Methodology (pdf, 1,9 MB)
BSI Standard 100-3: Risk Analysis based on IT-Grundschutz (pdf, 893,37 KB)
BSI Standard 100-4: Business Continuity Management (pdf, 1,16 MB)
link

answered 2011-11-28 at 07:36:20

Tolomir's gravatar image

Tolomir

@CanusRufus:
In that link you sent (thanks) - the term
"desktop products" - is that adobe, flash, java etc.
link

answered 2011-11-28 at 07:55:10

pma111's gravatar image

pma111

And what is a "web database server", the database in the private LAN that feeds data to the web app?
link

answered 2011-11-28 at 08:08:48

pma111's gravatar image

pma111

Yes, all software and perhaps hardware.  
link

answered 2011-11-28 at 08:09:40

CanusRufus's gravatar image

CanusRufus

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

Asked: 11/27/2011 10:00

Seen: 255 times

Last updated: 12/12/2011 07:21