Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Change Management [was:RE: Windows Patch Management]

From: "Anderson, Kelly" <kjanders () UMICH EDU>
Date: Mon, 11 Dec 2006 09:49:08 -0500
Good Morning List, 
 
We have a documented patch management plan for our services.  Since we do not manage workstations (except our own), we 
manually apply patches after a risk assessment of each patch is done by yours truly.  All patches eventually get 
applied, critical patches get applied within 24 hours or less, less critical patches sometimes wait until the next 
maintenance/outage period for that server.  I'd be happy to share my plan - just send me a private message.  
 
However, I'm wondering if any of you have a formal procedure/format you follow for change management.  I am looking for 
an efficient way to approve and document changes.  We do not want to be bogged down with procedures and review 
committees, we just need something quick and concise.  Right now we keep a calendar on our Exchange system to which we 
add all change events.  That seems to work for the documentation part, but I'd like some more thoughts on the 
approval/review process before the change happens.  
 
Sorry that this question sounds a bit vague...I'm looking for ideas.  
 
Thanks!
 
Kelly Jo Anderson  
University of Michigan  
kjanders (at) umich (dot) edu  
 
 

________________________________

From: Rose, Ryan [mailto:Ryan.Rose () UNCO EDU]
Sent: Thu 12/7/2006 9:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows Patch Management



Zeb,

Good point, the change management forms and preparation is what takes
the most time and causes the most angst.  We use WSUS for our
workstation environment, but due to some inadvertent installations and
reboots we have stayed away from the servers.

Thanks for the feedback,

Ryan

-----Original Message-----
From: Bowden, Zeb [mailto:zbowden () VT EDU]
Sent: Thursday, December 07, 2006 6:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows Patch Management

We're using WSUS to distribute and approve the updates for our servers
and have found this saves quite a bit of time. It's also pretty flexible
and has decent reporting for patch status and verification.

Is it the actual patching that's taking so much time and driving your
admins crazy or is it the preparation for the patching (backups,
testing, verification, etc)?

Zeb Bowden
zbowden () vt edu



-----Original Message-----
From: Rose, Ryan [mailto:Ryan.Rose () UNCO EDU]
Sent: Wednesday, December 06, 2006 5:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Windows Patch Management

Greetings,

I'm curious how other institutions are conducting Windows Server Patch
Management.  Currently we are testing the patches in our test
environment for the week following the release date.  We then roll-out
the updates to all productions servers over the following weekend within
our maintenance windows.  This takes an amazing amount of time, we
believe it is best to stick to a monthly schedule but our sys admins are
going crazy.  Any suggestions or thoughts around this issue.

Thanks in advance,

Ryan
Previous By Date Next
Previous By Thread Next

Current thread: