Next-Generation Technologies & Secure Development

3 Ways to Meet the Patch Management Challenge

After 7 Years, NIST Updates Its Patch-Management Guidance
3 Ways to Meet the Patch Management Challenge

Patch management is a fundamental component of all organizations' information-security regime. Still, the patch-management process to identify, acquire, install and verify security updates for applications and systems isn't consistently applied by many organizations.

See Also: Fireside Chat | Zero Tolerance: Controlling The Landscape Where You'll Meet Your Adversaries

To encourage wider use of patch-management processes, the National Institute of Standards and Technology has issued a draft of Special Publication 800-40 Revision 3: Guide to Enterprise Patch Management Technologies. The revised guidance would replace SP 800-40 Revision 2 that NIST issued in 2005.

If done effectively, organizations that minimize the time they spend dealing with patching can use those resources to address other security concerns, write guidance authors Murugiah Souppaya and Karen Scarfone.

"Already, many organizations have largely operationalized their patch management, making it more of a core IT function than a part of security" the authors write. "However, it is still important for all organizations to carefully consider patch management in the context of security because patch management is so important to achieving and maintaining sound security."

The NIST guidance recommends that organizations:

  1. Deploy enterprise patch management tools using a phased approach that allows process and user communication issues to be addressed with a small group before deploying the patch application universally.
  2. Reduce the risks associated with enterprise patch management tools through the application of standard security techniques that should be used when deploying any enterprise-wide application. Deploying enterprise patch management tools within an enterprise can create additional security risks for an organization; however, a much greater risk is faced by organizations that do not effectively patch their systems.
  3. Balance their security needs with their needs for usability and availability. Organizations should make provisions for ensuring that their enterprise patching solution works for mobile hosts and other hosts used on low-bandwidth or metered networks.

NIST is seeking comments from stakeholders on its patch management draft guidance. Comments should be sent by Oct. 5 to, with the subject line: SP 800-40 Comments.

About the Author

Information Security Media Group

Information Security Media Group (ISMG) is the world's largest media company devoted to information security and risk management. Each of its 35 media sites provides relevant education, research and news that is specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Its yearly global summit series connects senior security professionals with industry thought leaders to find actionable solutions for pressing cybersecurity challenges.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.