We recently saw an examination finding that recommended that “Critical Patches be deployed within 24 hours of notice (of patch release)”. This would seem to contradict the FFIEC guidance in the Information Security Handbook that states that the institution:
“Apply the patch to an isolated test system and verify that the patch…
(1) is compatible with other software used on systems to which the patch will be applied,
(2) does not alter the system’s security posture in unexpected ways, such as altering log settings, and
(3) corrects the pertinent vulnerability.”
If this testing process is followed correctly, it is highly unlikely that it will be completed within 24 hours of patch release. The rational behind immediate patch release is that the risk of “zero-day exploits” is greater than the risk of installing an untested patch that may cause problems with your existing applications. So the poll question is:
Regardless of your approach, you’ll have to document the risk and how you plan to mitigate it. A “test first” approach might choose to increase end-user training and emphasize other controls such as firewall firmware, IPS/IDS, and Anti-virus/Anti-malware. If you take a “patch first” approach you may want to leave one un-patched machine in each critical department to allow at least minimal functionality in case something goes wrong. You should also test the “roll-back” capabilities of the particular patch prior to full deployment.
I’ll be watching to see if this finding appears in other examinations, and also to see if the guidance is updated online. Until then, because of the criticality of your applications and the required up-time of your processes, I believe a “test-first” approach that adheres to the guidance is the most prudent approach…for now. However you manage it though, be prepared to explain the why and how to the Board and senior management. Not only are the results expected to be included in your annual Board report, it may help to explain repeat future examination findings if your current approach differs from examiner expectations.