Patch Management – Penn: Office of Audit, Compliance and Privacy

BACKGROUND AND KEY RISKS:

Patch management is the process of distributing and applying updates from vendors to software. These patches are often the way to correct errors (also referred to as “vulnerabilities” or “bugs”) in the software. Implementing a formal patch management process is key to ensuring that known vulnerabilities do not get exploited. Common areas that will need patches across the University include operating systems, applications, and embedded systems (like network equipment, firewalls, switches, and routers). For example:

Windows Server Patching:

Microsoft is a common attack target, and Windows vulnerabilities are often exploited by attackers and used to traverse to other parts of the network because of the widespread use of Microsoft’s software. Windows Server security provides layers of protection built into the operating system to safeguard against security breaches, helps block malicious attacks, and enhance the security of Penn’s applications and data.

Linux Server Patching:

While Red Hat Enterprise Linux is not as common a target as Windows for vulnerabilities, Red Hat has a long history of adopting and creating security technologies to harden core platforms. Linux patching provides protection again security breaches, helps block malicious attacks, updates to the latest features, and enhances the security of Penn’s applications and data. Linux patch management relies on the Red Hat Enterprise Linux management platform to identify the population of Linux servers to patch and to enable Linux administrators to manage available security patches that are released as Red Hat Security Advisory (RHSA) notifications.

Database Patching:

Database software maintenance is critical to the security of Penn’s business, data, and applications. Patching is an essential part of database operations. Database patching provides protection against security breaches, helps block malicious attacks, and enhances the security of Penn’s applications and data.

WHAT MANAGEMENT CAN DO:

Maintain an up-to-date inventory of all enterprise level assets for patching
Ensure that all enterprise level assets are included on a regular patch management schedule
Ensure that there are mechanisms in place to identify newly-released patches
Test patches before they are deployed to the production environment
Monitor the patching deployment to validate that all deployed patches were successfully applied and have documented procedures for addressing patch failures
Ensure that out-of-band patches (e.g., zero-day critical patches) are applied in a timely manner and processes exist for handling any patching exceptions (e.g., clinical systems running on older servers, end of life server exceptions)