Search
Topics
  Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Feedback
· Forums
· Search
· Statistics
· Surveys
· Top
· Topics
· Web Links
· Your_Account

Current Membership

Latest: ERedrick
New Today: 7
New Yesterday: 71
Overall: 139496

People Online:
Visitors: 65
Members: 5
Total: 70 .

Languages
Select Interface Language:


Major ITIL Portals
For general information and resources, ITIL and ITSM World is the most well known for both ITIL and ITIL Books. A shorter snapshot approach can be found at ITIL Zone

Related Resources
Service related resources
Service Level Agreement
Outsourcing

Note: ITIL is a registered trademark of OGC. This portal is totally independent and is in no way related to them. See our Feedback Page for more information.


The Itil Community Forum: Forums

ITIL :: View topic - Change Management & Security Updates
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Change Management & Security Updates

 
Post new topic   Reply to topic    ITIL Forum Index -> Change Management
View previous topic :: View next topic  
Author Message
missmcp38
Newbie
Newbie


Joined: Jan 22, 2013
Posts: 4

PostPosted: Tue Jan 22, 2013 10:50 pm    Post subject: Change Management & Security Updates Reply with quote

Hi all

First of all, hello Smile Although I am new to posting in these forums, I have been reading through them for some time now and have found the information very helpful. I did do a search prior to adding my topic but got 0 results so apologies if that is not the case and the question has already been raised.

I have recently moved to a new company and am in the process of evaluating the current Change Management process. One of the area's we seem to be struggling with is the management of security updates. Currently we have a 4 week roll out of a security patch, an RFC is required at each stage. (week 1 is pilot users, 30 pcs around the firm globally. week 2 is test, an additional 30 pcs. week 3, 40% of the firm, week 4, the remaining 60%). Each update is put through as a separate RFC which can result in 10+ security updates for review on a weekly basis.

My main question here I suppose is, how do other firms handle such requests for security patching? There has been discussion about raising them as a pre-authorised RFC, something that I disagree with as although it is a repetitive piece of patching work the patches differ and also, we experience a number of issues the following morning with various things not working as a result of the previous nights patching work.

I would be grateful of any pointers anyone can give on this matter.

Thanks in advance

Missmcp
Back to top
View user's profile
KenLuo
Senior Itiler


Joined: Nov 03, 2012
Posts: 55
Location: Singapore

PostPosted: Tue Jan 22, 2013 11:16 pm    Post subject: Reply with quote

I suppose you're talking about the Microsoft Security Patch.

Here is what we're doing:
1) Verify this in a testing environment with proper version installed on servers.
2) If all goes well, then we directly push this to client by using some automated tools.

So next time when people's laptops, desktops or servers connect to the company network, the patches would be installed automatically.

This is a kind of regular maintenance for servers and we know it would be done every month. So what we need to do is:
1) Setup the maintenance window for this, e.g. Day 24 every month.
2) Raise the RFC and get approval from CAB by showing the testing result.
3) Do the changes by automated tools.
_________________
Luo, Tian-Hong (Ken)
Regional Operation Lead

ITIL Expert Certified
Back to top
View user's profile
KenLuo
Senior Itiler


Joined: Nov 03, 2012
Posts: 55
Location: Singapore

PostPosted: Tue Jan 22, 2013 11:18 pm    Post subject: Reply with quote

BTW, your pain point is not related to process, instead it is about the testing. If the testing is not done correctly, process won't help you.
_________________
Luo, Tian-Hong (Ken)
Regional Operation Lead

ITIL Expert Certified
Back to top
View user's profile
missmcp38
Newbie
Newbie


Joined: Jan 22, 2013
Posts: 4

PostPosted: Wed Jan 23, 2013 1:24 am    Post subject: Re: Security Updates Reply with quote

Hi KenLuo

Thank you for your reply. Yes, I missed that bit didn't I, it is the Microsoft patches. I agree when you mention that its the testing of the patching rather then the process. Unfortunately we do not have a test LAN/environment so have to reply on weeks 1 & 2 to flush out any issues!

Its not great. Far from ideal and unfortunately people seem to think its a change process issue rather then a testing issue!
Back to top
View user's profile
UKVIKING
Senior Itiler


Joined: Sep 16, 2006
Posts: 3292
Location: London, UK

PostPosted: Wed Jan 23, 2013 3:13 am    Post subject: Reply with quote

missmcp

You need to have a sandbox & other envs to test the patches from microsoft In addition, what you should have is your own windows update server that pushes the patches from your server not the public microsoft server

The process in a nutshell should be like this

patch comes out
you deploy to sandbox. this is to determine if the patch blows up a standard desktop, laptop or server that you have
Note: If you dont have these.. set them as the first priority
once done in sandbox... for the server patches, you deploy to dev, st, sit and then production - especially if your system applications are customized. you would test the general functionality - the support teams should do this
for the laptops, desktops, - set the machines in clusters - IT Team (test subjects), Senior mgmt, mid mgmt, flunkies, payroll, service desk, help desk etc
deploy the tested patches to a sample group

meanwhile work with change and release mgmt team to get the above process approved as a continual cycle of changes/release hence not needing to request every period.

Once this is in place and has worked several cycles, you should report back to the C/R every period on the success / failures

In addition, you should report to the various support teams about the patches that go to a server for them to analysis as well
_________________
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter
Back to top
View user's profile
missmcp38
Newbie
Newbie


Joined: Jan 22, 2013
Posts: 4

PostPosted: Fri Jan 25, 2013 6:36 am    Post subject: Re Change & Security Reply with quote

Hi UKViking

Thank you for taking the time to reply to my post. A sandbox.....if only we were that fortunate! We do not have a test or dev network which I agree is an area for concern. If we did have one, it would have stopped the chaos I walked into this morning when an update went out causing a massive issue Shocked

Time for some drastic action I think!

Missmcp
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    ITIL Forum Index -> Change Management All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.8 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

Logos/trademarks property of respective owner. Comments property of poster. Rest 2004 Itil Community for Service Management & Foundation Certification. SV
Site source copyright (c)2003, and is Free Software under the GNU / GPL licence. All Rights Are Reserved.