As the size of your body of managed systems grows, implementing a patch management policy become crucial to ensure the safety and security of your systems. Allowing computers to run updates automatically and outside of the control of the IT department may work is a smaller environment, but as the number of computers approaches a medium to large scale, having a patch management policy in place is of utmost importance. A patch management policy should clearly state the speed and frequency of update identification, acquisition and distribution. The patch management policy should require end users to follow the prompts provided by the system update service and restart their machines as requested.
Taking the patch management policy to the next level would be the implementation of internally serviced updates enforced by a patch management policy server. There are free server programs that can handle the process of locally caching and distributing updates at predetermined intervals. There are also paid versions of patch management policy systems that offer more features, a wider variety of patch management policy updates that can be disbursed, and allow for reporting and enforcement. Policy enforcement means that if a system does not meet an adequate patch level, it cannot gain access to network shares and resources. While putting a patch management policy may seem like a big investment in time, the reduction of hours spent ultimately by manually updating systems, attempting to create your own reports or even having to battle with systems affected by an attack due to an unpatched vulnerability, can actually end up saving time in the long run. A patch management policy will generally come down from upper management, but in some cases, an IT department may have to lobby for such a change to be made. The long term security benefits are generally enough to convince leadership to put a patch management policy in place.