Security Patching Requirements and Audit Approaches
By: Mitchell H. Levine, CISA - Audit Serve, Inc.
Most organizations utilize a patch management product to identify and selectively install patches at the workstation and server levels. Many organization utilize Microsoft’s WSUS to manage patch deployments but WSUS is limited to just deploying Microsoft products. However, there are still large organizations which are reliant on setting Windows updates at both the server and workstation level which does not provide a basis for central management to ensure that patches are actually being applied. Utilizing the Windows update approach requires users to connect to the Microsoft website and would in most cases require users to be local administrators on their workstation which opens up additional issues regarding the overall control of the software which is permitted to be installed on the workstation.
Alternatively, when using the Windows update approach for workstation patch deployment, many users utilize workstations in which they are not the local administrator which causes patches are never applied.
From a risk standpoint, a case could be made the only the external facing components such as FTP, Web and email servers need to be patched. However, we have seen the effects of vulnerabilities which can proliferate throughout the corporate enterprise which are caused by one infected workstation. With companies allowing visitors laptops to be placed on the network, the problems have escalated in recent years. Auditors, should evaluate the standards for allowing non-corporate certified laptops on the corporate network and whether controls are established which forces workstations and servers to be detached from to the network if they do not have recent patches applied.
One of the major issues confronting organizations is the deployment of database patches for 3rd party vendor products. Organizations are unwilling to independently apply these database patches unless the vendor has certified that they have tested their applications with these patches. It is common for vendors not to include this requirement in their license agreement. With Oracle moving to a quarterly security patching program three years ago, most 3rd party vendors are falling years behind in certifying their applications as being complaint with these security patches.
Typically, the security patching components discussed in this article would be handled in the following types of audits:
1) Standalone Workstation audits which would cover the security patching of workstations to ensure that workstations are patched in a timely manner.
2) IT General Controls Audits which cover the review of all types of servers to ensure that servers are being patched at an OS and database level in a timely manner. This review would also include an evaluation of the test approach prior to applying these patches. Since it is not practical to establish specific test scripts based on the types of patches being deployed, organizations utilize the method of deploying the patches first to test servers prior to the deployment to production servers. The audit should ensure that specific individuals are assigned the responsibility for providing a positive acknowledgement that there were no issues on the test servers in which these patches are deployed. Typically, organizations just send a notification out to responsible parties for these test servers to have them report back if there were any issues.
Mitchell Levine is the founder of Audit Serve, Inc. Audit Serve performs PCI Assessment and Remediation Project Management consulting services. Audit Serve also conducts Integrated & IT Audits, SOX Control Design & Testing. Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss your organization's specific project requirements in order to establish a proposal of services.
Copyright 2008, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.