Managed Services for Banks & Credit Unions – Part 1 in a Series: Patch Management

Topics: Compliance, Cybersecurity, Managed IT Services, Security

Managed Services is the practice of outsourcing routine IT infrastructure management tasks to a third party using techniques that take advantage of process automation and large scale operations. Businesses’ demand for Managed Services has been growing due to rapid technology changes, and the increasing complexity of IT. The concept of outsourcing operations to a third party can be an especially difficult concept for banks to embrace due to additional challenges relating to regulatory requirements, privacy and outsourcing concerns. However, for the typical community bank, Managed Services is exactly the right way to help the organization focus on what it does best and leverage scarce in-house talent for the real banking expertise.

In this series on Managed Services, we will examine a few specific areas of bank IT services: patch management, security services, hosted applications, and backup and disaster recovery solutions. While some organizations want to control the entire Managed Services bundle, that is not a recipe for every bank. At ATS, we provide the full set of Managed Services, but we also allow our customers to select a single service bundle or even make your own combination of services.

Part 1: Patch Management

Patch management is the process that ensures that updates to standard software are applied in a methodical fashion that insures all necessary updates have been made. The point is to stay current with vendor updates, especially those that relate to security. But as we have experienced over the years, not all patches are bug-free, and some patches can cause conflicts with other software. Patches cannot be applied blindly. Some human intervention is needed to evaluate the patches available, or be ready to unapply the patch in the case of a problem.

FFIEC guidelines require a bank to have an ongoing program of patch management. Management must have the assurance that the patches are being reviewed, approved for deployment, and actually applied in a consistent fashion. Even without FFIEC oversight, patch management is a good practice to have in any business.

To some organizations, patch management consists of setting up and running the free Microsoft WSUS product and not much more. In the worse cases, organizations may just set up all machines to automatically download any available patch. But there is a lot more to the automatic deployment of software bug fixes, updates or new software versions, and it is critical to the ongoing health of a bank’s IT infrastructure to have a good process.

At ATS, we find that many in-house solutions address only a limited spectrum of patches and don’t provide adequate patch testing. We understand why this happens – scarce people resources to get the job done – but it is just not good enough. Thus, it makes sense for banks with limited staff to outsource patch management to aprovider of comprehensive patching solutions that handles not only Microsoft but also third party patches. Further, since the majority of the patches are deployed after hours, mostly in the middle of the night, your internal IT staff will appreciate taking this onerous task off their hands so they can focus on more strategic IT tasks to advance your bank’s goals.

ATS defines four categories of patches in a comprehensive patch management program:

    • Patches to operating system software for desktops, laptops, tablets, and servers controlled by the bank.
    • Patches to network devices, such as routers, switches, and firewalls controlled by the bank.
    • Patches to network devices outside the control of the bank, which means all the devices at the web hosting company, the core processor, the MPLS vendor, the phone vendor, and so on.
    • Patches to applications software, of which there are four categories: non-Microsoft workstation applications (e.g. Adobe Acrobat, Java); business applications (e.g. LaserPro); core processing applications; and IT-specific software (monitoring software, backup software).

Each category has its own quirks, and therefore needs a special approach in your bank’s patch management program. A good example that banks are now grappling with is the Apple iPad which is routinely deployed for bank directors and loan offices. First, updates to IOS fall outside the standard patch management processes, and certainly would never be part of WSUS. But if bank directors upgrade from IOS 6 to 7, there is a good chance that the new version will not work with the board book app that was set up for them, and to make matters worse, we have seen cases where the archived board materials were lost. The bank’s IT staff has to be ready to deal with these issues, and make decisions as part of a comprehensive patch management program – what gets patched, how, how often, how do we verify the patches were applied, and how do we back out of it when it breaks something.

WSUS may be a good solution for the routine OS updates. Microsoft releases these patches each month on “patch Tuesday”. The first step is setting up all the workstations to point to the WSUS server rather than using up bandwidth to download the patches from the Internet. This configuration method is easy enough to set up with a Group Policy. But it requires setting it up correctly, and checking to make sure things worked correctly.

For more on a comprehensive patch management program for banks, contact ATS’ Managed Services group at [email protected].