IAB Interactive Standardized Equipment List   return to main tree

Search Interactive SEL:



[05NP-00-SIEM] Prev [05SM-00-ITAM] Next
SEL Number: 05PM-00-PTCH
Title: System, Patch/Configuration Management


Last Updated: 11/19/2024 11:43:21 AM

Previous SEL Number: 05PM-00-PTCH

Description: System to manage the update and installation of patches, applications, and/or operating systems utilized by an organization in order to maintain current "version control."

This functionality may also be obtainable via subscription as a cloud-based service using a web browser interface, as opposed to purchasing software. However, special security considerations apply for data stored remotely. See 04AP-11-SAAS for further information.

ImportantFeatures: Record keeping of existing versions on different clients, date of last change, etc.
System automatically gathers current versions from assorted vendors for pushing out to clients.

Operating Considerations: May require the installation of client software on all managed devices (workstations, servers, etc.). This can be a significant task, and any required client software should be checked for compatibility with hardware/operating system/software suites in use prior to procurement.
Some products may track only operating system software. However, vulnerabilities in applications and network devices such as routers are also important and should be included in any patch management plan.
Consider whether operating systems and applications should be set up for automatic update. There have been isolated instances in which an OS update (and even a security software application update) have severely impacted systems. While there is no perfect solution, one approach is to have relatively benign applications such as browsers, office software, or PDF readers update automatically while software with high potential impact such as operating systems and security software are set for "download only" and manual update.
Regular third-party vulnerability assessments should also be performed.

Training Requirements: Core Training: Per Manufacturer's Specifications
Initial Training: Extensive (> 2 days)
Sustainment Training: Extensive (> 2 days)

Mandatory Standards:

Applicable Standards and References: