T 3.92 Misjudging the relevance of patches and changes

If the relevance of patches for safe IT operations is misjudged, this may result in incorrect prioritisation. If the updates are prioritised incorrectly, unimportant patches may be installed first. Therefore, important patches are installed too late and security gaps remain for a longer time.

Patch and change management is often supported by software-based tools. These tools may also contain software errors and therefore provide insufficient or incorrect information on a change. For this reason, the information provided by such a tool always has to be checked and tested for plausibility.

Examples:

• In patch and change management, an employee incorrectly assesses the relevance and priority of a security patch as very high and has an emergency patch installed on all systems concerned. Due to shorter test phases, an error in this patch is overlooked and causes severe security vulnerability elsewhere.