I also wanted to ensure that our standard corporate images are maintained at the same patch level as the desktops. After some discussion, members of the desktop group and I agreed that they would review recommended patches and keep desktop images up to date on a quarterly basis but that prior to issuing a new laptop or desktop, they would run the Windows Update program to ensure that all patches were installed. I'll expect the same for the servers.

I solidified this new patch-management process by writing down some guidelines on matters such as roles, responsibilities and prioritization. I'll distribute this at the upcoming patch management meeting, where we'll assign appropriate duties. In addition, I'll be using our SMS infrastructure to create regular reports that provide details on compliance. My company holds a weekly service-review meeting in which each manager of a major department presents various metrics and status reports relevant to his department. I will include these new metrics along with my other reports so that my peers and the CIO can be kept abreast of the effectiveness of the patch management process.

What do you think?

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Sidebar: Security log