Multi-Agency Patch Management Follow-up Report

Computer Code with a cloth patch being sewn onto it.

 

What Is Patch Management?

Cyber criminals constantly try to hack into vulnerable information technology systems and hardware to gain unauthorized access to data. Usually technology vendors thoroughly test their systems for cybersecurity vulnerabilities; however, hackers are coming up with new ways to exploit systems.

To combat vulnerabilities, vendors develop corrections or fixes for security loopholes or flaws as those become known. These corrections or fixes are applied to systems through “patches.” Patches are common. According to the SysAdmin Audit Network and Security Institute, SANS, a security research and education company: “In the software world, rarely, if ever, is an application developed without having the need to be corrected, upgraded, or modified.”

Cybersecurity is not the only reason to apply patches to a system. In some cases, a patch adds new features. For example, a software update (i.e., patch) for the iPhone added a variety of new features including dark mode, a photos tab, and enhancements to portrait lighting when taking a photo. “Patch management” is the process of identifying, acquiring, installing, and verifying patches for information technology systems. There are many models of what an effective patch management program should look like, but all have certain common characteristics.

* For sources and references, please download the Patch Management follow-up report.(PDF, 610KB)

Why Patch Management Is Important

An effective patch management process helps reduce cybersecurity risks across information technology systems. Installing patches in a timely manner can lessen the chance of a breach and any resulting data loss. According to the Ponemon Institute, an independent research firm on data protection and emerging information technologies, “60% of cyberattack victims report that their breaches could have been prevented by installing an available patch.” Some of the largest data breaches reported in recent years have been  because of unpatched systems. These include data breaches at Equifax, JP Morgan Chase, Target, The Home Depot, and Marriott.6 Millions of customers were impacted in these cases, which resulted in lawsuits, fines, and reputational damage to the companies.

In addition, The Institute of Internal Auditors, an organization established to provide leadership for the internal auditing profession, advises that organizations with good patch management:

  • “Spend less money and [information technology] energy on unplanned work.”
  • “Spend more money and [information technology] energy on new work and achieving business goals.”
  • “Experience less downtime.”
  •  “Install patches with minimum disruption.”
  • “Focus more on improvements and less on ‘putting out fires.”

The lack of an effective patch management process can be costly. The average cost of a data breach in 2019 was over $8 million.8 Poor patch management processes can cost organizations in other ways also. For example, The Institute of Internal Auditors says that poor change management processes can cause:

  • “Attrition of highly qualified [information technology] staff due to frustration over low-quality results.”
  • “Poor quality systems that make employees ineffective and inefficient or that alienate customers.”
  • “Missed opportunities to provide innovative or more efficient products. and services to customers.”

 

* For sources and references, please download the Patch Management follow-up report(PDF, 610KB).

  

Auditor's Letter

January 6, 2022

In keeping with generally accepted government auditing standards and Auditor’s Office policy, as authorized by city ordinance, the Audit Services Division has a responsibility to monitor and follow up on audit recommendations to ensure city agencies address audit findings through appropriate corrective action and to aid us in planning future audits..

In our follow-up effort for the “Patch Management” audit report issued in May 2020, we found some areas of strength and some areas that need improvement. Because of the information security sensitivities involved with patch management, these issues have been communicated separately to the relevant city agencies for their remediation. However, we include background information in this report as a reference.

I would like to express our sincere appreciation to the personnel in the relevant city agencies who assisted us throughout the audit and the follow-up process. For any questions, please feel free to contact me at 720-913-5000.

Denver Auditor,

Auditor's Signature
Timothy O'Brien, CPA


 

Tim_mug.png

AUDITOR TIMOTHY O'BRIEN, CPA
Denver Auditor



Denver Auditor´s Office

201 W. Colfax Ave. #705 Denver, CO 80202
Emailauditor@denvergov.org
Call: 720-913-5000
Follow us on Facebook     Connect with us on Twitter
Read our social media policy

Auditor´s Office Logos for Footer