Change Management & Security Updates

Discuss and debate ITIL Change Management issues
Post Reply
User avatar
missmcp38
Newbie
Newbie
Posts: 4
Joined: Mon Jan 21, 2013 7:00 pm

Tue Jan 22, 2013 7:50 am

Hi all

First of all, hello :) Although I am new to posting in these forums, I have been reading through them for some time now and have found the information very helpful. I did do a search prior to adding my topic but got 0 results so apologies if that is not the case and the question has already been raised.

I have recently moved to a new company and am in the process of evaluating the current Change Management process. One of the area's we seem to be struggling with is the management of security updates. Currently we have a 4 week roll out of a security patch, an RFC is required at each stage. (week 1 is pilot users, 30 pcs around the firm globally. week 2 is test, an additional 30 pcs. week 3, 40% of the firm, week 4, the remaining 60%). Each update is put through as a separate RFC which can result in 10+ security updates for review on a weekly basis.

My main question here I suppose is, how do other firms handle such requests for security patching? There has been discussion about raising them as a pre-authorised RFC, something that I disagree with as although it is a repetitive piece of patching work the patches differ and also, we experience a number of issues the following morning with various things not working as a result of the previous nights patching work.

I would be grateful of any pointers anyone can give on this matter.

Thanks in advance

Missmcp


User avatar
KenLuo
Senior Itiler
Senior Itiler
Posts: 55
Joined: Fri Nov 02, 2012 8:00 pm
Location: Singapore

Tue Jan 22, 2013 8:16 am

I suppose you're talking about the Microsoft Security Patch.

Here is what we're doing:
1) Verify this in a testing environment with proper version installed on servers.
2) If all goes well, then we directly push this to client by using some automated tools.

So next time when people's laptops, desktops or servers connect to the company network, the patches would be installed automatically.

This is a kind of regular maintenance for servers and we know it would be done every month. So what we need to do is:
1) Setup the maintenance window for this, e.g. Day 24 every month.
2) Raise the RFC and get approval from CAB by showing the testing result.
3) Do the changes by automated tools.
Luo, Tian-Hong (Ken)
Regional Operation Lead

ITIL Expert Certified
User avatar
KenLuo
Senior Itiler
Senior Itiler
Posts: 55
Joined: Fri Nov 02, 2012 8:00 pm
Location: Singapore

Tue Jan 22, 2013 8:18 am

BTW, your pain point is not related to process, instead it is about the testing. If the testing is not done correctly, process won't help you.
Luo, Tian-Hong (Ken)
Regional Operation Lead

ITIL Expert Certified
User avatar
missmcp38
Newbie
Newbie
Posts: 4
Joined: Mon Jan 21, 2013 7:00 pm

Tue Jan 22, 2013 10:24 am

Hi KenLuo

Thank you for your reply. Yes, I missed that bit didn't I, it is the Microsoft patches. I agree when you mention that its the testing of the patching rather then the process. Unfortunately we do not have a test LAN/environment so have to reply on weeks 1 & 2 to flush out any issues!

Its not great. Far from ideal and unfortunately people seem to think its a change process issue rather then a testing issue!
User avatar
UKVIKING
ITIL Expert
ITIL Expert
Posts: 3639
Joined: Fri Sep 15, 2006 8:00 pm
Location: London, UK

Tue Jan 22, 2013 12:13 pm

missmcp

You need to have a sandbox & other envs to test the patches from microsoft In addition, what you should have is your own windows update server that pushes the patches from your server not the public microsoft server

The process in a nutshell should be like this

patch comes out
you deploy to sandbox. this is to determine if the patch blows up a standard desktop, laptop or server that you have
Note: If you dont have these.. set them as the first priority
once done in sandbox... for the server patches, you deploy to dev, st, sit and then production - especially if your system applications are customized. you would test the general functionality - the support teams should do this
for the laptops, desktops, - set the machines in clusters - IT Team (test subjects), Senior mgmt, mid mgmt, flunkies, payroll, service desk, help desk etc
deploy the tested patches to a sample group

meanwhile work with change and release mgmt team to get the above process approved as a continual cycle of changes/release hence not needing to request every period.

Once this is in place and has worked several cycles, you should report back to the C/R every period on the success / failures

In addition, you should report to the various support teams about the patches that go to a server for them to analysis as well
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter
User avatar
missmcp38
Newbie
Newbie
Posts: 4
Joined: Mon Jan 21, 2013 7:00 pm

Thu Jan 24, 2013 3:36 pm

Hi UKViking

Thank you for taking the time to reply to my post. A sandbox.....if only we were that fortunate! We do not have a test or dev network which I agree is an area for concern. If we did have one, it would have stopped the chaos I walked into this morning when an update went out causing a massive issue 8O

Time for some drastic action I think!

Missmcp
Post Reply