Technology Compliance Audits: Application and Server Patch Automation

Meet Bruce.

Bruce is a 45-year-old IT manager, with twenty years experience working for ACME Power. Bruce has three photos on his desk – one of his wife, Linda; one of his kids - Davy and Wendy; and one of Microsoft CEO Satya Nadella. Apart from his laptop, Bruce’s desk is pristine. He walked into the office this morning with a big smile on his face and passed out donuts to his colleagues.

Today has been highlighted in Bruce’s Outlook calendar for weeks. It’s day one of a thorough compliance audit of ACME Power’s application and server infrastructure. 
 

Meeting Compliance Requirements for Patches and Updates

The last time there was an audit several years ago, the company made headlines, because a penetration test found there were several vulnerabilities on ACME servers due to missed security updates. Other tests found missed patches in the SQL databases, RightFax, and the Outlook mail servers.

During the last failed audit, Bruce had been in charge of ACME’s SCADA network and Cognos analytics system. His systems were the only application to pass the last audit. That’s one of the reasons Bruce was promoted. He also recommended the implementation of Microsoft System Center Configuration Manager.

Bruce sits down at his desk and pulls up the latest SCCM logs on his screen. His smile fades, as it seems some patches failed again this month. He was sure SCCM was set to apply the latest code updates. Apparently, they didn’t complete after all. Tension builds in Bruce’s mind, and he calls an ad-hoc meeting of his beleaguered system administration team to see why they are set to fail another audit.  
 

Automated Patch Installations Within the Maintenance Window

For IT administrators, manually patching servers and applications can be an arduous task, especially when you need to complete them late at night or on weekends when it won’t impact employee performance.

Once SCCM is implemented, taking it for granted that patches will be applied without fail is a risky assumption. Have you noticed that many patches don’t even get routed to the SCCM client until after the maintenance window has lapsed?

Automated patches can fail without pre-testing, halting a whole series of updates, which means an administrator will have to drive into the office after hours, or risk missing applying patches within the release window. Ensuring a server reboots and performs properly when it comes back online is ideal, yet SCCM can’t do this alone.
 

Producing Comprehensive Reports for Auditors

Have you struggled with making the time to manually generate reports on what updates were applied, when they were applied, and how the servers performed when they came back online? Some of this data just isn’t available via SCCM.

In regulated industries like banking, utilities, oil and gas, and government entities, it is critical to be able to demonstrate that applications and servers have the latest code updates to ensure sensitive data is secure and available. It’s not just about production systems either, maintaining the integrity of your development, failover and backup environments also needs to be demonstrated.
 

The Costs of Non-Compliance with Patching Regulatory Standards

Consider the direct and non-direct costs of failing an IT infrastructure audit. There are the fines and penalties from regulatory agencies like the related provincial securities commission, or the Office of the Superintendent of Financial Institutions (OSFI).

If news of the failed audit hits the press, there is the loss of investor, customer, and employee confidence to be concerned with. Not to mention potential lost revenues from customers who buy or contract from a competitor due to fear of a data breach.

Needless to say, nobody in a regulated organization wants to face the consequences of a failed IT audit. With increased scrutiny on data security, privacy, and information governance regulations are increasing, such as:

• GDPR (Global Data Protection Regulations)
•  PIPEDA (Personal Information Protection and Electronic Documents Act)
• PHIPA (Personal Health Information Protection Act)
• HIPAA (Health Insurance Portability and Accountability Act)
• SOC 1 and SOC 2 (Service Organization Control)
•  PCI (Payment Card Industry) Compliance

The heightening of these standards translates to more intensive auditing and reporting of security patching and fixes.
 

Pushing Fear, Uncertainty and Doubt Aside

Staying out of compliance jeopardy doesn’t have to mean your crew needs to monitor application and server code updates in your datacenter late at night. Patch Tuesdays, Threat Risk Assessments and other audits don’t have to strike fear across your organization.

Take control of the full lifecycle of your server and application patching. Whether your infrastructure is on-premise hardware, virtualized Hyper-V servers, or cloud servers in Azure, beekeeper can extend the functionality of SCCM, and keep your Microsoft systems up to date with the latest code updates and fixes. 

Discover more about beekeeper on our website.

Watch the role-based demonstrations of our operational/technical and management reporting on YouTube.

Or better yet, give us a buzz.

Let’s talk about how process automation can help your business achieve and maintain compliance with the standards which matter most to your business, your customers, your employees and other key stakeholders.