Previous Section
 < Day Day Up > 
Next Section


Introduction to the Patch Management Process

The remaining sections in this chapter describe a patch management process as recommended by Microsoft. This process, introduced in MSM 2.5, uses a four- phase approach of Identify, Evaluate & Plan, and Deploy and was based on several MOF functions. Also discussed is the implementation of an SMS 2003 infrastructure and its functions in patch management and deployment, along with instructions on responding to patch emergencies and accelerated timelines.

The Microsoft Operations Framework (MOF)

There are many approaches to planning and implementing patch management solutions. The preferred approach is to base a solution upon an existing operations framework, such as MOF. MOF was designed to provide prescriptive guidance to organizations about how to manage their IT operations. MOF consists of three models:

  • The process model

  • The team model

  • The risk model

Of specific interest to patch management, the MOF process model is a functional model of the processes performed by operations teams when managing and maintaining IT Services. It's based upon the Office of Government Commerce's IT Infrastructure Library (ITIL), a widely accepted body of practice for operations management. The team model and risk model might also be of interest, as they provide guidance on the formation of patch management teams, including duties and responsibilities, and a structured approach to managing risk, which is useful when evaluating alerts of vulnerability and software updates and determining the best course of action.

More Info 

For more information about the Office of Government Commerce's ITIL, visit its Web site at http://www.itil.co.uk.

The MOF process model defines four quadrants of management, as shown in Figure 13.2. The quadrants are Changing, Operating, Supporting, and Optimizing. Each quadrant has a mission of service. In the Changing quadrant the mission is to introduce new service solutions, technologies, systems, applications, and processes. The mission of the Operating quadrant is to perform and manage the daily tasks associated with running IT Services. As the name suggests, the Supporting quadrant's mission is to resolve incidents, problems, and inquiries as they arise. Lastly, the Optimizing quadrant's mission is to examine the environment the IT Services run in and drive changes to optimize cost, performance, capacity, and availability.

Click To expand
Figure 13.2: The MOF process model.

Within each quadrant are major management review processes. These are necessary checkpoints used to guarantee success of the management processes. The reviews are split into two categories: time-based and release-based. The Release Readiness Review and Release Approved Review are release-based reviews and take place before and after a release into the computing environment. The Operations Review and SLA (Service Level Agreement) Review, both time- based reviews, should occur at regular intervals to assess the performance of the internal operations and the agreed-upon customer service levels.

Any comprehensive patch management solution will touch on all four quadrants of the MOF process model-for example, an organization is focused on auditing systems for patch compliance and monitoring alerts for vulnerability and software updates in the Operating quadrant, on assessing and planning response to alerts and downloading and evaluating any updates in the Supporting quadrant, packaging and testing updates in the Optimizing quadrant, and distributing and installing updates as well as auditing and rolling back the update if required in the Changing quadrant.

The Microsoft-Recommended Patch Management Process

Introduced in Microsoft Solutions for Management 2.5 and based on the MOF Change Management, Release Management, and Configuration Management service management functions, the Microsoft-recommended patch management process is a four-phase approach to managing updates to software. The four phases are Assess, Identify, Evaluate & Plan, and Deploy. The process and its four phases are shown in Figure 13.3.

Click To expand
Figure 13.3: The Microsoft-recommended four-phase patch management process.

Defined events trigger movement through the phases of the process. Beginning with the Assess phase, the triggering event that causes a move to the Identify phase is notification that a software update exists. The event that causes a move from the Identify phase to the Evaluate & Plan phase is the submission of a formal Request for Change (RFC). The triggering event for a move to the Deploy phase from the Evaluate & Plan phase is the receipt of approval to deploy the software update into the production environment. Finally, the move from the Deploy phase to the Assess phase and the beginning of the process cycle again is triggered by completion of the release of the software update.

Within each phase there are discreet steps that together implement the patch management process. These steps, and the phases they belong to, are described in Table 13.1.

Table 13.1: Steps in the four-phase patch management process

Phase

Steps

Assess

Inventory/discover existing computing assets.

Assess security threats and vulnerabilities.

Determine the best source for information about new software updates.

Assess the existing software distribution infrastructure.

Assess operational effectiveness.

Identify

Discover new software updates in a reliable way.

Determine whether software updates are relevant.

Obtain and verify software update source files.

Determine nature of software update and submit RFC.

Evaluate & Plan

Determine the appropriate response.

Plan the release of the software update.

Build the release.

Conduct acceptance testing of the release.

Deploy

Deployment preparation.

Deployment of the software update to targeted computers.

Post-implementation review.

Although no technology solution can automate the entire patch management process, they can help somewhat, and SMS 2003 integrates well into patch management processes.



Previous Section
 < Day Day Up > 
Next Section