Month: February 2004

Infrequent or inadequate patching exposes the organization to significant risk of corrupt systems and stolen information. This nature of software alarmed the federal regulators who in the fall of 2003 dictated that all financial institutions develop an adequate patch management program to reduce the risks posed by these flaws.

The federal regulators declared that a patch management program be part of the financial organization’s information security plan. They also stated that failure to maintain an adequate plan can adversely affect an institution’s overall IT examination rating. With the release of FDIC: FIL-43-2003 the FDIC identified these four steps to a compliant patch management program:

1. Development of appropriate organizational procedures.
Like all programs, a structure needs to be created to facilitate the patch management plan.
2. Monitoring software vulnerabilities and identifying corrective patch information.
Patch management is a pro-active pursuit.
3. Evaluating the impact of patches.
Once a patch has been identified the next step is to assess the impact of that patch on the environment.
4. Testing and installing software patches.
The next step is to test each patch prior to installation.
5. Report to the Board of Directors.
Section 501(b) of the Gramm-Leach-Bliley Act stipulates that institutions must perform periodic risk assessments and present the findings to the Board of Directors.

More info: [url=http://www.bankinfosecurity.com/?q=node/view/554]http://www.bankinfosecurity.com/?q=node/view/554[/url]

You need a solution that proactively builds security defenses before the damage is done—instead of reacting after it’s too late. According to the Carnegie Mellon University, more than 90 percent of all security breaches involve a software vulnerability caused by a missing patch that the IT department already knows about. That means most IT departments lack a methodology for rapidly deploying patches. The rest are ones that they did not know about and probably lacked the resource to investigate.

You need to get as close to 100% of your vulnerabilities covered as quickly as possible since one breach can be devastating and costly. Until operating system and application vendors start writing perfectly secure software, IT administrators will have to deal with the patch problem. But effective patch management is more than just plugging holes and hoping for the best. It’s an ongoing, systematic process that can benefit from automation. If your IT environment shows any of these early warning signs, you will have a problem:

CISOs have spent the past few years perfecting digging moats around the corporate castle. Now, as they lift their heads out of the trenches, they find themselves living in the age of bomber planes and guided missiles.

The problems with perimeter-based security are neither new nor unclear. Corporate information systems increasingly rely on tools and processes that exist outside the protective embrace of the traditional firewall. Wireless, mobile, remote and ad hoc are the watchwords of today’s business, with employees, partners and customers often using two or three different devices—ranging from laptops to cell phones to kiosks at the local Internet caf