For a patch management best practices policy, there are a few thoughts to consider as you begin to script the verbiage of your policy. Of key importance, above all else, the the need to know whether or not the computers on your network have been receiving and installing security patches. That way, if they have not, the machine can be corrected or disconnected from the network. The patch management best practices policy should clearly state that a patch management system should be in place that provides this level of reporting on your computers. An application server needs to be put in place that uses agent based software that is pushed to and runs regularly on machines connected to its network. That software then reports statistics back to the server that is used to satisfy patch management best practices.
That server will then analyze the data of all computers and offer you charts or even notifications that indicate which machines are out of compliance with patch management best practices. Those machines are then able to be brought up to the latest patch levels to maximize security. The ability to make the determination of patch levels at a glance is almost irreplaceable when it comes to patch management best practices. Without such a convention in place, it is anyones guess as to which machines have or have not been properly updated. No patch management best practices policy should allow for machines that update themselves directly from the internet. There is no verification trail when this takes place, and computers can and will quickly fall out of compliance. Those computers are then security risks and openings for any number of viruses or potential intrusions of your network. The point of following patch management best practices is to prevent those sort of things from happening in the first place, so patch management best practices should be carefully examine all aspects of patch deployment and determine the best way to handle things in your environment.