Security patch compliance for our Windows and SQL Server estate is significantly below our monthly target of 95%. The threat due to non-compliance is very real and critical in the ever-changing security landscape.
We must have a partnership of our app owners and support teams to improve our patch compliance to protect our patients, caregivers, and brand. The low compliance has been attributed to servers that are in “Patch No-Reboot” collection. These servers are in a pending reboot state for long periods of time and incapable of installing any further updates. This has impacted 35% of our server estate and poses a major security risk.
As a result, to improve patch compliance, we are standardizing the security patch compliance to ensure compliance.
What is changing?
After careful evaluation, we are introducing an enhanced automated patching process with server reboot, to ensure consistent patch compliance across our server estate. As a result, manual “Patch No-Reboot” service will be deprecated by the end of November.
The new process will provide application owners the flexibility to self-select a patching window that meet their needs, patch their servers (automated or manual) and reboot on monthly basis (before the last day of each month).
Auto Patching |
Self-Service Manual Patching |
|
|
What we need from you
We are asking all server owners having servers in “Patch No-Reboot” collection to follow the instructions (link below) to move their servers to either Auto Patching or Self Service Patch collection before December 1, 2020.
Instructions to move servers to Auto/Self-Service patching
Additional resources
If you need further guidance, please attend daily Enterprise Patch Management office hours at 12:00 p.m./noon every day, running November 2 through December 1, 2020.
You may also contact the Enterprise Patch Management team with further questions.