Patch management is the process of identifying, acquiring, installing, and verifying patches for products and systems. Patches often correct security and functionality problems found in software and firmware. They are most often of interest from a security perspective because patches mitigate flaws in software which may cause vulnerabilities. Applying patches to eliminate these flaws and vulnerabilities significantly reduces the opportunities for an adversary to cause harm to a system or environment. Patches serve other purposes as well such as adding new features to software and firmware and expanding security capabilities. The University has largely operationalized patch management, making it a core IT function. However, it is still important for all departments to carefully consider patch management in the context of information security because patch management is so important to achieving and maintaining an adequate information security posture.
Effective patch management
Effective patch management consists of identifying impacted/vulnerable software, evaluating available patches, testing and deploying those patches, and confirming successful installation. Most operating systems (OSes) include a solution for patching, though they typically only involve the OS itself. It is crucial to supplement OS patches with application software patching.
Vendors who bundle patches tend to release them monthly or quarterly, except for cases when an unpatched vulnerability is actively being exploited, in which case they typically issue the appropriate patch as soon as they are able. Ultimately what matters is not when the patch was installed, but when the patch actually takes effect.
Prioritizing which patches to apply and when to apply them is closely related to timing, but there are other considerations as well. The relative importance of the vulnerable systems (i.e. servers versus clients) and the relative severity of each vulnerability. Please reference the ISPO's Vulnerability Remediation Guideline for more information about the University's mandatory vulnerability remediation timeframes.
It is critical to replace software before its End-of-Support (EOS) date. EOS occurs when software updates, patches, and other forms of support are no longer offered, resulting in software becoming highly susceptible to future security vulnerabilities.
Using unsupported software, firmware, and hardware, puts the University at risk in the following ways:
- Subsequent vulnerability disclosures place UNM at significant risk.
- The University becomes subject to regulatory compliance issues/violations.
- There are increased support costs by having a need for extended support.
Replacing software and firmware/hardware before it reaches EOS significantly reduces any risks and costs associated with EOS.
NOTICE: The ISPO's Information Security Operations area will update this document on a periodic basis in response to emerging trends and guidance from information security professional organizations.
The ISPO utilizes the University’s enterprise ticketing system Help.UNM and intake services provided by the UNM Information Technologies (UNM IT) Service Desk, the University's central support organization for information technology-related services and computer-related issues. All information security-related events, incidents, and requests are forwarded to the ISPO by UNM IT Service Desk Staff. If you have feedback or questions regarding this document, please use Help.UNM or call the UNM IT Service Desk at 7-5757 to ensure that your request is opened, tracked, and processed in a timely manner.