can patch mgmt be included in change control

Discuss and debate ITIL Change Management issues
Post Reply
User avatar
vabs
Itiler
Itiler
Posts: 5
Joined: Sun Jul 14, 2013 8:00 pm

Mon Jul 15, 2013 7:34 am

Hi all,

Could you please advice if the Patch mgmt shuold be included in change control wherein the requestor needs to raise a change every time for a patch request.

Regards
Vabs


User avatar
Fang
Itiler
Itiler
Posts: 13
Joined: Sun Sep 16, 2012 8:00 pm

Tue Jul 16, 2013 8:55 am

Its up to you really! If tracking patches is important to your organisation, then make sure its included in your Change Management process.

We expedite security patches as 'pre-approved' changes, but scrutinise other patches at CAB, asking for evidence of testing, back out strategies etc.
User avatar
vabs
Itiler
Itiler
Posts: 5
Joined: Sun Jul 14, 2013 8:00 pm

Wed Jul 17, 2013 9:25 am

Thanks Fang, But how can you make a security patches as pre-approved changes. These patches require server reboot and any change with outage can not be made as standard change.

Actually I was in the view that if we include the patched in change management process, then we will require extra hands to manage the patch requests..What do you say.. Is there any way we can mange these without extra hands..
User avatar
Fang
Itiler
Itiler
Posts: 13
Joined: Sun Sep 16, 2012 8:00 pm

Thu Jul 18, 2013 5:39 am

ITIL is a set of guidelines and best practice, not a rule book. We allow our version of standard changes (called Routine Pre-Approved changes) to have a small impact on users.

We define our Routine Pre-Approved changes as changes that are regularly carried out, are low risk and have little impact on supported users. When a change is required that is known to have a visible impact on supported users it will go through Normal CAB approval process.

Routine Pre-Approved changes have the following characteristics:
• They follow an established, well proven path
• Have a defined trigger that initiates the change request for a pre-Approved change
• There is an approved set of procedures that must be followed for the change to be deemed approved
• They are relatively common
• They are the accepted solution to a specific requirement or set of requirements

So there is a clearly defined subset of pre-approved changes, which are performed by our Security group only. Server re-boots are very short, and unless there in an on-going security issue that needs patching/sorting NOW (in which case it’s an Emergency change) then the patches are put on when the re-boot shouldn’t affect too many users.

I am a Change Management team of one – so there are no extra hands. The Security staff are responsible for the security patches, once the procedure to do them has been scrutinised and approved by CAB.
User avatar
UKVIKING
ITIL Expert
ITIL Expert
Posts: 3639
Joined: Fri Sep 15, 2006 8:00 pm
Location: London, UK

Thu Jul 18, 2013 12:22 pm

Fang is absolutely correct

He has defined the classification for CM / CAB involvement and not

The operation team has deifined a prcocess in line with his defintions.

Fang has - I presume - had a CM review of the process, as well as a test - based on his criteria - approved / define the patch mgmt process for certain types of patches as he has

It is under change control
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter
Post Reply