Re: Desktop patch management?

[Omar Herrera <omar_herrera () BANXICO ORG MX>]

Craig,

Forcing the update Hill be extremely difficult in this situation; even
if there are technological solutions that would allow to do that it
won't help in your relationship. I would recommend to ask management to
create a committee that takes decisions on these special "emergency"
events. This committee should include representatives from different
departments (at least of those that are most important). They are the
ones directly affected, so, inviting them to participate will help you
to:
a) increase their security consciousness 
b) involve them in the process
c) reduce tension in your relationship with them

It is critical that management gets actively involved, otherwise you
will face deadlock situations where the committee can't take a decision.

In this way, management is not forcing anyone, you get them (users)
involved and, even if this is slower than giving you full power to
enforce security, it should improve your capabilities to prevent and
react to security incidents.

Remember that security is not a business process by itself in most
organizations; it supports the business process though. I don't like the
idea to see Universities as businesses, but we do have our own main
processes and goals (transfer knowledge and experience, research ...).
When users understand that patching the machine is for their own benefit
(to allow them to continue working), resistance will lessen.

Omar Herrera, CISSP

Instituto Tecnológico y de Estudios Superiores de Monterrey, 
Mexico City Campus 
Information security topic and laboratory


-----Mensaje original-----
De: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] En nombre de Craig W. Drake
Enviado el: Viernes, 12 de Septiembre de 2003 12:04 PM
Para: SECURITY () LISTSERV EDUCAUSE EDU
Asunto: [SECURITY] Desktop patch management?

I was just wondering how everyone is handling desktop patch management
in their environments.  We are in a situation where users/departments
manage their own desktop systems.  We do not have any kind of Windows
domain structure and do not have any kind of common administrator
account/password on desktops university-wide.  Some users/departments
have very negative attitudes towards our IT department and do not want
anybody from our department "messing with" their computers. Management
doesn't want to lose favor with those users by forcing them to comply
with any kind of centralized IT policy. We have tried sending out emails
to our users asking them to visit WindowsUpdate, but only about half of
the computers get updated.  Does anybody have any suggestions on how to
force all of the updates to all of the computers on campus in this
situation? 
  

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.