Patching rhythm: Start a monthly patch process

Computerworld - On the topic of security alerts and patches, Microsoft Corp. is undoubtedly the 800-pound gorilla. When the company publicized its strategy of issuing security alerts once a month (see story), I was initially dismayed, but the wisdom of the decision sank in.
Much of the frustration expressed by IT managers around the world has a lot to do with the unpredictability of security alerts. They could come at any time, and we'd have to drop what we were doing and spring into action -- at least the action of analyzing and understanding how bad the latest salvo could be. What would go through my mind was, "Is this the alert that if left unpatched could lead to 'Son of Blaster'?"
Assimilating patch alerts under the old process was like responding to earthquakes. You could be prepared, to a point, but you never knew when it would strike or how bad it would be.
Now, the security alerts are more like hurricanes. We know they're out there and when they will make landfall (the second Tuesday of the month, all year long), but we still don't know exactly how bad they will be.
Still, Microsoft's releasing security alerts on the second Tuesday of the month presents a great opportunity: the ability to plan.
Mark your calendars
Now that you know when Microsoft will issue the security alerts, it's time to schedule some recurring meetings.

• The morning after the second Tuesday: Schedule one to two hours to analyze security alerts and do some rough prioritizing and risk analysis.
  
• Same day, in the afternoon: Meet with Windows NT administrators and end-user systems administrators to discuss the alerts, their priorities, which ones are relevant, which ones are urgent, which ones can wait and which ones can safely be ignored.
  
• Thursday: Windows NT administrators and end-user systems administrators begin testing systems with patch(es) installed. Also, begin work on patch-distribution plans.
  
• Friday: Distribute patches to test systems. The users who are in the test program know that new patches are coming, and they'll avoid highly critical work since they know that a reboot is likely. The patches will run all day Friday and over the weekend. If you're squeamish about patching test systems on Friday, or if it takes more time to package a test distribution, wait until Monday.
  

  Peter H. Gregory, CISSP, CISA, is an information technology and security consultant, a freelance writer and an author of several books, including Solaris Security, Enterprise Information Security, and CISSP for Dummies. As a consultant he provides strategic technology and security services to small and large businesses. He can be reached at p.gregory@hartgregorygroup.com. His Web site is www.hartgregorygroup.com.

• Tuesday or Wednesday: Meet to discuss testing, make decisions on how to proceed with deployment of patches to entire company.
  
• Thursday: Begin deployment of patches to systems.