Patching for regulatory compliance

When complying with regulations, the end result is often not as important as the method used to reach that result. In other words, how you choose to apply and manage Microsoft security patches can ultimately help you succeed or fail in meeting regulatory compliance requirements -- even though you could get the same end results with any patch management application.

For example, you need to be able to generate reports showing which patches have been applied to Windows systems and when they were applied. An auditor may ask you to prove that a specific security patch was applied to every machine in the organization, and it has not been removed. The most effective way to provide such proof is to use a patch management tool that can generate granular reports about each machine's patches. Some lower end patch management utilities do not offer such functionality. Some federal regulations may also require that you patch higher risk systems in an expedited manner -- another functionality not available in every patch management tool.

Of course not all federal regulations apply to all companies. Before you spend a bundle on new patch management software, you should determine which, if any, federal regulations apply to your company. For example, HIPAA (the Health Insurance Portability and Accountability Act) only applies to companies that store or transmit patient-related medical information. FISMA (the Federal Information Security Act) applies only to government agencies, GLBA (the Gramm-Leach Bliley Act) applies mostly to financial institutions and SOX (Sarbanes-Oxley act) applies primarily to publicly traded companies. Therefore, if you are not a government agency, a financial institution, publicly traded company or involved in healthcare, there is a good chance you won't have anything to worry about from a compliance standpoint.

If your company does fall under some legislation, you need to be aware of its regulatory requirements. It could be that your current patch management system is already in compliance.

If you discover that your current utility is not in compliance, I suggest you consider an all-in-one compliance product before purchasing new patch management software. Typically, patch management is only one of many issues addressed by a piece of legislation. If you have to spend big bucks on a new patch management solution, it may make more sense to get software that will help with other areas of regulatory compliance as well.

One product I like is Configuresoft's Enterprise Configuration Manager, an enterprise security suite. It offers security templates to correspond with various pieces of legislation. For example, if your organization must comply with HIPAA, you can use the HIPAA template. The software then applies the necessary security settings to all servers and workstations to make your network HIPAA compliant.

This is just one of many applications that will help bring your organization into compliance. The key to successful compliance is determine which product best meets your organization's specific requirements and budget -- and to remember that it's not the end result that matters so much as the method used to get there.

• Stay on track with our HIPAA Learning Guide
• Learn more about patch management with these resources

About the author:
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.

This tip originally appeared on sister site SearchWindowsSecurity.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Technology,   Tech strategy,   Compliance,   Compliance Counselor,   Security Audit, Compliance and Standards,   HIPAA,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Tech strategy Establishing Essential Controls Policy management: Manual vs. automated tools Strategic IT planning for compliance and beyond Become compliant without breaking the bank Aerial view: Vulnerability management Become compliant -- without breaking the bank Separating fact from fiction: Security technologies for regulatory compliance Choosing a compliance archiving tool SOX-in-a-box: One size does not fit all when it comes to compliance HIPAA security tools helpful for some firms Compliance Counselor Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? HIPAA Cost of security, IT management add up at healthcare facilities, study finds Healthcare security spending remains sluggish, report shows Creating a HIPAA employee training program FTC extends breach notification to Web-based health repositories Are there guidelines to create a HIPAA-compliant data center? HHS HIPAA guidance on encryption requirements and data destruction Writing a patient identifier policy to prevent common HIPAA violations HIPAA compliance: New regulations change the game HIPAA compliance manual: Training, audit and requirement checklist Key elements of a HIPAA compliance checklist HIPAA Research RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.