T 2.137 Poor and inadequate planning when distributing patches and changes

To ensure that patches and changes can be distributed in the organisation within the defined period of time, the technical and personnel resources required for this purpose must be planned in the framework of the patch and change management. If no adequate resources are available, there is the risk that the distribution of changes takes more time than planned or even fails. Thus, business processes with high availability requirements might be impaired if, for example, servers or databases required for this purpose fail.

Patches and changes may also be distributed in a software-based manner. If the software used for this purpose, however, cannot be adapted to the growing and ever more complex IT landscape, the distribution ultimately becomes more time-consuming. Therefore, it is no longer be possible to distribute security updates promptly.

Sometimes, the order in which patches and changes have to be distributed are relevant for the consistency and security of the entire system. For example, a new version of a security software program might require an operating system on which all current patches have been installed. In this case, first the operating systems in the information system must be updated, restarted if necessary and only then can the new security software be installed. A distributing software that does not check the existing patches and changes might try to install the security software before the operating system has been updated successfully. Thus, it would leave an inconsistent or even unpatched system.

If the software on IT systems is updated, it is often necessary to restart the application or the operating system afterwards. It takes some time until complex applications such as databases make their data available again following an update. During this period of time, the applications and data of the systems are not available. For systems with high availability requirements, this can have a negative impact on the organisation. This is particularly the case when the systems are not available for a longer period of time than expected due to errors during the change operation. Such failures might mean that employees or customers are impaired in carrying out their work.

Examples:

• In on organisation, a security patch for a Windows server is installed. This server must be restarted afterwards. During this period of time, the system is not available. Since the login process to the internal LAN runs on this server, the users cannot log in or carry out their work only work to a limited extent during this period of time. With its customers, the organisation has agreed upon a high level of availability by means of Services Level Agreements and thus violates existing contracts.
• The IT department of a company installs a security patch on a Voice over IP server. When restarting the system, the configuration file of the VoIP service must still be adapted in addition to this. During this period of time, it was not possible to answer external telephone calls. The company's lack of availability has a negative effect on its external perception by its customers.