Manage Learn to apply best practices and optimize your operations.

Patching for regulatory compliance

How you apply and manage security patches will help you succeed (or fail) in meeting regulatory compliance requirements. Find out what to look for in patch management tools here.

Microsoft often releases an overwhelming number of security patches, making Windows upkeep a major chore. Although many utilities are available to ease your patch management burdens from a technical standpoint, you won't find a plethora of tools to address some increasingly important, non-technical issues -- federal government regulations.

When complying with regulations, the end result is often not as important as the method used to reach that result. In other words, how you choose to apply and manage Microsoft security patches can ultimately help you succeed or fail in meeting regulatory compliance requirements -- even though you could get the same end results with any patch management application.

For example, you need to be able to generate reports showing which patches have been applied to Windows systems and when they were applied. An auditor may ask you to prove that a specific security patch was applied to every machine in the organization, and it has not been removed. The most effective way to provide such proof is to use a patch management tool that can generate granular reports about each machine's patches. Some lower end patch management utilities do not offer such functionality. Some federal regulations may also require that you patch higher risk systems in an expedited manner -- another functionality not available in every patch management tool.

Of course not all federal regulations apply to all companies. Before you spend a bundle on new patch management software, you should determine which, if any, federal regulations apply to your company. For example, HIPAA (the Health Insurance Portability and Accountability Act) only applies to companies that store or transmit patient-related medical information. FISMA (the Federal Information Security Act) applies only to government agencies, GLBA (the Gramm-Leach Bliley Act) applies mostly to financial institutions and SOX (Sarbanes-Oxley act) applies primarily to publicly traded companies. Therefore, if you are not a government agency, a financial institution, publicly traded company or involved in healthcare, there is a good chance you won't have anything to worry about from a compliance standpoint.

If your company does fall under some legislation, you need to be aware of its regulatory requirements. It could be that your current patch management system is already in compliance.

If you discover that your current utility is not in compliance, I suggest you consider an all-in-one compliance product before purchasing new patch management software. Typically, patch management is only one of many issues addressed by a piece of legislation. If you have to spend big bucks on a new patch management solution, it may make more sense to get software that will help with other areas of regulatory compliance as well.

One product I like is Configuresoft's Enterprise Configuration Manager, an enterprise security suite. It offers security templates to correspond with various pieces of legislation. For example, if your organization must comply with HIPAA, you can use the HIPAA template. The software then applies the necessary security settings to all servers and workstations to make your network HIPAA compliant.

This is just one of many applications that will help bring your organization into compliance. The key to successful compliance is determine which product best meets your organization's specific requirements and budget -- and to remember that it's not the end result that matters so much as the method used to get there.

Note to readers: Is regulatory compliance a high priority in your organization? If so, what compliance-related tasks are you handling for Windows security? Please e-mail the editor with your feedback and you will be entered into a drawing to win one of three MCSE Exam Cram books.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.

More information from

  • Topic: Get expert advice on Windows auditing in this topics section
  • Ask the Expert: Jason Chan explains how to approach patch management from a policy perspective
  • Checklist: Learn how to configure an audit policy

  • Dig Deeper on Financial services data management