For general information and resources, ITIL and ITSM World is the most well known for both ITIL and ITIL Books. A shorter snapshot approach can be found at ITIL Zone
Note: ® ITIL is a registered trademark of OGC. This portal is totally independent and is in no way related to them. See our Feedback Page for more information.
Posted: Tue Jan 22, 2013 10:50 pm Post subject: Change Management & Security Updates
Hi all
First of all, hello Although I am new to posting in these forums, I have been reading through them for some time now and have found the information very helpful. I did do a search prior to adding my topic but got 0 results so apologies if that is not the case and the question has already been raised.
I have recently moved to a new company and am in the process of evaluating the current Change Management process. One of the area's we seem to be struggling with is the management of security updates. Currently we have a 4 week roll out of a security patch, an RFC is required at each stage. (week 1 is pilot users, 30 pcs around the firm globally. week 2 is test, an additional 30 pcs. week 3, 40% of the firm, week 4, the remaining 60%). Each update is put through as a separate RFC which can result in 10+ security updates for review on a weekly basis.
My main question here I suppose is, how do other firms handle such requests for security patching? There has been discussion about raising them as a pre-authorised RFC, something that I disagree with as although it is a repetitive piece of patching work the patches differ and also, we experience a number of issues the following morning with various things not working as a result of the previous nights patching work.
I would be grateful of any pointers anyone can give on this matter.
Joined: Nov 03, 2012 Posts: 53 Location: Singapore
Posted: Tue Jan 22, 2013 11:16 pm Post subject:
I suppose you're talking about the Microsoft Security Patch.
Here is what we're doing:
1) Verify this in a testing environment with proper version installed on servers.
2) If all goes well, then we directly push this to client by using some automated tools.
So next time when people's laptops, desktops or servers connect to the company network, the patches would be installed automatically.
This is a kind of regular maintenance for servers and we know it would be done every month. So what we need to do is:
1) Setup the maintenance window for this, e.g. Day 24 every month.
2) Raise the RFC and get approval from CAB by showing the testing result.
3) Do the changes by automated tools. _________________ Luo, Tian-Hong (Ken)
Regional Operation Lead
Joined: Nov 03, 2012 Posts: 53 Location: Singapore
Posted: Tue Jan 22, 2013 11:18 pm Post subject:
BTW, your pain point is not related to process, instead it is about the testing. If the testing is not done correctly, process won't help you. _________________ Luo, Tian-Hong (Ken)
Regional Operation Lead
Posted: Wed Jan 23, 2013 1:24 am Post subject: Re: Security Updates
Hi KenLuo
Thank you for your reply. Yes, I missed that bit didn't I, it is the Microsoft patches. I agree when you mention that its the testing of the patching rather then the process. Unfortunately we do not have a test LAN/environment so have to reply on weeks 1 & 2 to flush out any issues!
Its not great. Far from ideal and unfortunately people seem to think its a change process issue rather then a testing issue!
Joined: Sep 16, 2006 Posts: 3110 Location: London, UK
Posted: Wed Jan 23, 2013 3:13 am Post subject:
missmcp
You need to have a sandbox & other envs to test the patches from microsoft In addition, what you should have is your own windows update server that pushes the patches from your server not the public microsoft server
The process in a nutshell should be like this
patch comes out
you deploy to sandbox. this is to determine if the patch blows up a standard desktop, laptop or server that you have
Note: If you dont have these.. set them as the first priority
once done in sandbox... for the server patches, you deploy to dev, st, sit and then production - especially if your system applications are customized. you would test the general functionality - the support teams should do this
for the laptops, desktops, - set the machines in clusters - IT Team (test subjects), Senior mgmt, mid mgmt, flunkies, payroll, service desk, help desk etc
deploy the tested patches to a sample group
meanwhile work with change and release mgmt team to get the above process approved as a continual cycle of changes/release hence not needing to request every period.
Once this is in place and has worked several cycles, you should report back to the C/R every period on the success / failures
In addition, you should report to the various support teams about the patches that go to a server for them to analysis as well _________________ John Hardesty
ITSM Manager's Certificate (Red Badge)
Change Management is POWER & CONTROL. /....evil laughter
Posted: Fri Jan 25, 2013 6:36 am Post subject: Re Change & Security
Hi UKViking
Thank you for taking the time to reply to my post. A sandbox.....if only we were that fortunate! We do not have a test or dev network which I agree is an area for concern. If we did have one, it would have stopped the chaos I walked into this morning when an update went out causing a massive issue
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Forum FAQ
Search
Usergroups
Profile
Log in to check your private messages
Log in
Although I am new to posting in these forums, I have been reading through them for some time now and have found the information very helpful. I did do a search prior to adding my topic but got 0 results so apologies if that is not the case and the question has already been raised.
