Best Practices for Security and Patch Management

These are some notes I took at TechEd a couple of years ago.

7 Steps to Secure Environment:

• Establish a Security Team
• Security Assessment – What impacts our bottom line? What is normal?
• Risk Analysis – For the Assets
• Write a Security Policy. Enforce it.
• Design Operations Plans and Security Standards
• Implement Training and Awareness Measures
• Perform Ongoing Security Management

10 Immutable Laws of Security Patch Management

• 1: Security patches are a fact of life
• 2: It does no good to patch a system that was never secure to begin with
• 3: There is no patch for bad judgment
• 4: You cannot patch what you do not know you have
• 5: The most effective patch is the one you do not have to apply
• 6: A service pack covers a multitude of patches
• 7: All patches are not created equal
• 8: Never base your patching decision on whether you have seen an exploit code … Unless you have seen an exploit code
• 9: Everyone has a patch management strategy, whether they know it or not
• 10: Patch management is really Risk Management