Server Path Management

SOP Number

IT/014/R.1

SOP Title

Server Path Management

NAME TITLE SIGNATURE DATE Author Sandeep R. Yadav System Admin 27-11-2022 Reviewer Milind Khedekar Senior Manager 27-11-2022 Authoriser Mahaveer Devannavar General Manager 27-11-2022

Effective Date : 01-12-2022 Review Date : 28-11-2022

1.PURPOSE

Security : Patch management fixes vulnerabilities on your software and applications that are susceptible to cyber-attacks, helping your organization reduce its security risk. System uptime : Patch management ensures your software and applications are kept up-to-date and run smoothly, supporting system uptime.

2.INTRODUCTION

A server patch is a small piece of code installed on a server to fix a security vulnerability or bug. Patches are typically released by vendors when new vulnerabilities are discovered. It is essential to keep your servers patched to protect against known security threats. In some cases, patches may also include performance improvements or new features.

Server patch management involves testing and patching physical and virtual servers with little to no downtime. This free patch management software gives you access to all the essential features required to patch your systems. This patch management solution can secure your entire infrastructure.

Maintain the integrity of network systems and data by applying the latest operating system and application security updates/patches in a timely manner.

Desktops, laptops, servers, applications, and network devices represent access points to sensitive and confidential company data, as well as access to technology resources and services. Ensuring updates and patches are distributed and implemented in a timely manner is essential to maintain system stability and mitigate malware, exploitation, and security threats.

The processes addressed in this document affect all company managed systems, including desktops, laptops, servers, network devices, wireless devices and applications that connect to the company network.

3.SCOPE

This standard applies to all devices in organizations and the administrators that support these resources. The processes addressed in this standard affect all managed campus systems, including desktops, laptops, servers, network devices, security appliances, and applications that connect to the campus network

4.RESPONSIBILITIES

Review and approve changes to the Patch Management Policy and Procedures is taken care by Head of Information Technology Department

Scan for patches (Vulnerability Management Program) is taken care by IT Data Centre team

Notify teams (QA, DEV, pre-prod and production) of patching schedules (depending on environment) taken care by IT team

Taking full backup before activity is accountability of System Administrator

Applying patches is taken care by IT team

Test services after patching is taken care by QA/Dev engineer

Notify and report testing results is taken care by QA/Dev engineer

Remediate issues, as necessary is taken care by QA/Dev Engineer / IT Systems engineer / IT Security team.

5.SPECIFIC PROCEDURE

5.1. General Procedure :

The process of server patch management is critical to the security and stability of any organisation's network infrastructure. Server patch management is identifying, acquiring, installing, and verifying patches for software that runs on a network server. Patches are pieces of code that are used to fix software vulnerabilities. The software vendor usually releases them after the vulnerabilities have been discovered.

The server patch management process typically involves the following steps

1. Inventory : The first step is to inventory your servers and identify which ones need to be patched. This can be done manually or using a tool like Microsoft System Center Configuration Manager (SCCM)

2. Download patches : Once you have identified the appropriate patches, the next step is to download them from the vendor’s website or through a patch management tool like SCCM

3. Test patches : Before installing them on production servers, it is essential to test patches. This will help to ensure that the patches do not cause any unexpected problems

4. Install patches : Once you have tested them, the next step is installing them on your production servers. This can be done manually or through a patch management tool like SCCM

5. Verify installation : After you have installed the patches, it is essential to verify that they have been applied correctly. This can be done through the patch management tool or by checking the server logs

6. Monitor for problems : Even after you have verified that the patches have been applied correctly, it is essential to monitor your servers for any issues that may occur after patching. This can be done through server monitoring tools like Nagios or SolarWinds Server & Application Monitor

7. Patch management schedule : Patch management is schedule in two parts. Standard patches provided by OEM are reviewed by System administrator and takes a decision for implement. Emergency security patches to be taken on immediate priority with proper information to stakeholders for severity of applicability

6. Definitions :

Apply : To install a patch on a system

Back out : To remove a patch from a system

Download : To copy one or more patches from a source of patches, to the system where the patches are to be applied

Package : The form in which software products are delivered for installation on a system. The package contains a collection of files and directories in a defined format

Patch : An update to software that corrects an existing problem or that introduces a feature

Patch analysis : A method of checking a system to determine which patches are appropriate for the system

Patch dependency : An instance where a patch depends on the existence of another patch on a system. A patch that depends on one or more patches can only be applied to a system when those other patches have already been applied

Patch list : A file that contains a list of patches, one patch ID per line. Such a list can be used to perform patch operations. The list can be generated based on the analysis of a system or on user input

7. FORMS / TEMPLATES TO BE USED

A standard template is used to record incidence by Department of Information Technology

8. Change History

SOP No. Effective Significant Changes Previous Date SOP no. IT/014/R.1 01-12-2022 First version N.A.