When I received the list of recommendations from the security team, I provided it to our desktop technology group, advising it to use the same approach to get our desktops up to date. The group has put a schedule together, so this part of the new process is well under way.

Finally, I am mandating a once-per-month patch review and update day. I'm calling this Patch Thursday, and it will fall at least nine days after Microsoft's well-known Patch Tuesdays. On our Patch Thursdays, we will review all new patches and decide which are critical, thus ensuring that our desktops remain compliant. Of course, I will reserve the right to deploy some patches immediately, just as we did for the WMF patch.

The server side

I will be instituting the same program for our Windows and Unix servers, as well as any Unix or Linux desktops. We may have to address the server environment a little differently from the desktops. The main problem here is that Windows servers typically need to be rebooted after a patch is applied, so monthly updates in a complex server configuration that includes clustered environments and the use of virtual machines may not be feasible. In addition, the process would need to include some fairly comprehensive testing before patches could be deployed in the production environment. The last thing we want to do is risk the company's ability to generate revenue or its reputation by deploying an untested patch on a key server.

Unix servers are also considered critical infrastructure, and although many of the recommended Solaris patches don't require a reboot, they still need to be fully tested. But we don't always have a test environment available for every server in production, so testing will be a challenge.