These are some notes I took at TechEd a couple of years ago.

7 Steps to Secure Environment:

  • Establish a Security Team
  • Security Assessment – What impacts our bottom line? What is normal?
  • Risk Analysis – For the Assets
  • Write a Security Policy. Enforce it.
  • Design Operations Plans and Security Standards
  • Implement Training and Awareness Measures
  • Perform Ongoing Security Management

10 Immutable Laws of Security Patch Management

  • 1: Security patches are a fact of life
  • 2: It does no good to patch a system that was never secure to begin with
  • 3: There is no patch for bad judgment
  • 4: You cannot patch what you do not know you have
  • 5: The most effective patch is the one you do not have to apply
  • 6: A service pack covers a multitude of patches
  • 7: All patches are not created equal
  • 8: Never base your patching decision on whether you have seen an exploit code … Unless you have seen an exploit code
  • 9: Everyone has a patch management strategy, whether they know it or not
  • 10: Patch management is really Risk Management