I know what you're thinking, "I already have an RMM tool that handles patching automatically... That's what I've promised my clients!" True, your RMM tool does have the ability to automatically approve, install and in some cases even re-mediate patch issues. So why do MSP's even need a written Patch Management Policy?
What is a policy anyway?
Before we can answer why MSP's need a Patch policy, it's important that we establish what a policy is - "a course or principle of action adopted or proposed by a government, party, business, or individual." So now that we've established that policies dictate what course or principles we have adopted as an organization, we ask the question why?
So Why Do We Need A Written Patch Policy?
As MSP's know to well, Patch Management is a basic but key component of their Managed offering to clients. The process involves obtaining, testing, and installing several patches to the computer system in order to keep it safe against malware attacks or to resolve known issues with the software. But as with any change to a business network, it can cause issues, and so it's critical that the patch management process is well defined and communicated with all parties involved to limit exposures. Questions such as: What type of Patches will be deployed? When will we deploy them? When will we reboot machines? What will happen if a critical out-of-band patch is released? What happens with failed patches? How will I know if i'm up to date? are just basic but important questions that not only your employees should know, but are critical for your clients to know.
This is exactly what a patch management policy helps us to accomplish, defining the process that your team will follow to ensure client systems and applications are up-to-date, known vulnerabilities are being addressed and that the client is compliant with regulatory bodies and standards. Documenting your "standard" for managing patches ensures that you and your customers are all on the same page. New tech hires will also be clear as to what is expected of them and what service level has been promised to clients.
What should a patch management policy cover?
Priority & Scheduling. The policy should include how patches will be prioritized and scheduled for installation. What will be the procedure for "Out-of-Band" High Severity patches, and when will patch installations occur.
Patch Types. What types of patches will be deployed? Security, Feature Releases, Service Pack Installs? Will these be completed automatically or upon request or need.
Patch Managed Devices. Does your standard Patch Management service cover patching all core systems and operating systems or just a limited amount based on your RMM capabilities? Do you provide LOB upgrades? Make sure to specify what devices and systems are covered.
Patch Testing Process. How will you test patches? Will you have a test environment for each customer or a generic test environment? What systems are tested, and which are not? What happens if a patch fails a test? How soon before release to production are patches tested.
Patch Deployment Process. Who will deploy patches, how will patches be deployed, and will you notify users the day of? What will be the process if a patch causes issues.
Patch Audit & Assessment. With the ongoing threat of security being compromised and given the huge and daunting task of patch management, it's almost certainly a good idea to have the essential procedures and responsibilities clearly defined through a detailed patch management policy.
Unsure about where and how to start writing your first SOP? We can help. At MSPWerks we help MSP's easily create & share Core Process, Standards and Operating Procedures internally and with their managed clients. Quickly build your MSP standards through our self-paced wizard with SOPwerks and provide your clients with their own customer portal.
Ready to create SOP's for your MSP business? We can help! Our mission at MSPwerks is to develop MSP tools targeted to help MSP's run their business, reduce employee stress, increase overall productivity, and generate healthy revenue. Our MSP tool, SOPwerks, is an easy-to-use, online platform that makes creating quality SOP's simple and fast. Create your own SOP from scratch or use one of our MSP SOP templates filled with checklists designed by MSP industry experts. Learn more here: MSPwerks.com