Any time you hear a story of a business experiencing a widespread virus outbreak, you have to wonder if they have an adequate security patch management policy in effect, and if they are adhering to it. A virus scanner is a first line defense to viral infections, but it certainly is not infallible. There are viruses that are capable of disabling antivirus software, and until new virus definition files are distributed, there is a window of opportunity for a virus to take advantage of the opening and spread across a network. These viruses also take advantage of unfixed security holes on the machines that they invade. All OS software has vulnerabilities, and as they are determined, they are closed off to attack by security patches that are released periodically by the operating system manufacturer.
A security patch management policy is a process in place to ensure that security patches are delivered to workstations and servers as a requirement for their use. A security patch management policy generally states that any computer in use on the network must be updated to the latest patch level that is available. The security patch management procedure can vary in its execution. In some situations, the security patch management policy may simply require each user to have their computer configured to poll for new updates and install them as they become available.
In other cases, usually in larger enterprises, there is security patch management system in place that forces the machines to accept updates from either an internal server or a push and requires no user intervention. These security patch management system can be configured to override the user and prevent them from disabling the installation of updates. This is the most secure, certain way of enforcing security patch management as it avoids a scenario where some computers may not be receiving updates. A security patch management policy has to be enforced to maintain its effectiveness.