SC Magazine published a good article explaining why patch management has become such a critical aspect of information security.
In the article, Rob Duran, CISO of Time, Inc. explains that he uses a four-phase approach for patch management: intelligence monitoring, testing, deployment and verification that the fixes work. It’s worth pointing out that this approach is well aligned with the requirements in the PCI DSS, which require that all patches not only be deployed in a timely manner, but also that all patches be tested before deployment.
You can read the full article here.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services