The Need for Proper Patch Testing

All software applications require updates, (or patches), from vendors to keep these applications safe and secure, which means all financial institutions need to have an efficient and effective patch management program in place. One of the main components of an effective patch management program is patch testing. All patches should be carefully evaluated and tested prior to deployment to ensure new features introduced will not cause problems for you bank.

Without a proper patch testing procedure in place, financial institutions open themselves up to serious security breaches and compliance issues. The natural reaction is to make sure that all patches are installed as soon as they are released, but effective patch management is not that straightforward.

Patches are not always perfect. When providers attempt to fix one problem, they may inadvertently break something else. A bad patch can break a financial institution’s applications and disrupt daily processes that could ultimately impact the customer experience. A recent Forbes article highlighted the potential downfall of rushing patches to production devices. The piece detailed how many organizations that automatically installed the latest Windows 7 update to their systems experienced significant problems, including not being able to start or reboot their PCs. With a patch testing process, these situations could have been avoided.

How to Test Patches

To effectively test patches, banks should put together a test group in their own environment that is a representative sample of all the types of machines and applications in use. This test group should receive newly-released patches before they are rolled out to the entire financial institution network. This helps your institution verify that a patch will not cause more problems than it is worth and prevents the majority of devices from receiving bad patches.

Aside from the practical reasons for testing patches, there is also a regulatory compliance element. Having a test group is a minimum requirement according to the FFIEC guidance on patch management.

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

Automated Assistance with Patch Management

Many banks and credit unions find managing patches and maintaining the appropriate settings for patches to work properly challenging and time consuming. This challenge has hindered many banks from having a stellar program, which has led to less than desirable patch scores. When auditors and examiners come to your institution, you want to ensure that all of your devices are up to date.

Automating the critical patch management process enables banks to gain efficiencies in the back of the house by significantly reducing time spent manually patching all systems within the institution. IT staff can use the time previously spent on menial patching tasks to focus on profit-generating activities that drive business forward. Additionally, automated solutions operate 24/7 and are less impacted by human error or employee absence, leading to increased security and a better overall compliance posture.

Working with an outsourced service provider, such as Safe Systems, provides a comprehensive patching process that delivers quick, accurate and secure patch updates to all workstations and servers, while mitigating the multiple risks of running unpatched programs and automating the time-consuming process of testing and deploying new patches. Safe Systems maintains all the settings required for patches to work, which diminishes administrative overhead and testing time. Furthermore, we are able leverage our scale to create a massive pool of test devices across a broad spectrum of environments. This allows us to test patches far more thoroughly than any other financial institution partner, and results in less downtime for all customers due to problem patches. Safe Systems’ financial institution focus means we test against the top core provider applications, and can quickly detect when a patch causes issues with these programs.

Timely and well-controlled patch management is a vital element of a comprehensive Information Security program. By partnering with Safe Systems, you can avoid the pitfalls of poor patch management, benefit from our efficiencies and enhance your institution’s security.