Procedures for Handling Security Patches   [open pdf - 4MB]

Timely patching is critical to maintain the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is the most common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced system administrators to keep abreast of all the new patches. Vulnerabilities are weaknesses in software that can be exploited by a malicious entity to gain greater access and/or permission than it is authorized to have on a computer. Not all vulnerabilities have related patches; thus, system administrators must not only be aware of vulnerabilities and patches, but also mitigate "unpatched" vulnerabilities through other methods (e.g. workarounds, firewalls, and router access control lists). To help address this growing problem, this document recommends that organizations have an explicit and documented patching and vulnerability policy and a systematic, accountable, and documented process for handling patches. This document provides principles and methodologies for accomplishing this. One of several possible techniques is through the creation of a patch and vulnerability group (PVG). This group would facilitate the identification and distribution of patches within the organization.

Report Number:
NIST Special Publication 800-40
Public Domain
Media Type:
Help with citations