When it comes to security updates, having a plan in place to evaluate, approve and schedule patching is a prudent measure. There should be a formal policy of patch management best practices that is put in place that is religiously adhered to to prevent software from falling behind and becoming vulnerable to malicious code or attack. A patch management best practices checklist should involve several steps, starting with identifying what applications are provided updates by the manufacturer and should be subject to the patch management best practices policy. This list of apps should then be refined to programs that have the capability to download and install updates automatically, and those that will require a manual process to update them as per your patch management best practices policy. For the ones that do update on their own, patch management best practices dictate you should not depend on the update actually taking place. The end user has the ability to cancel such updates, and you will have no record of what systems have and have not been patches. Patch management best practices should include a method of auditing systems for software version and patch level, or a centralized way to push updates. In terms of some applications, and the operating system itself, some control should be exercised over what is and is not deployed, as patch management best practices also have to account for patches that break existing processes. Often times, the code change to secure a hole can alter the way a program behaves in such a way that incompatibilities can be created, or certain functions broken. Patch management best practices should dictate a test bed for all updates to verify the functionality prior to allowing a mass of computers in your environment to apply the update. That risk is typically smaller than being hacked, though, so when in doubt, updates should be applied.