Client's challenge
The IT organization of a major energy company was struggling with its patch management process. System downtime was minimal, but only because the staff put forth extraordinary effort, including many late nights of work. Despite the IT staff’s dedication, the company’s overall systems remained vulnerable due to lag time between the application vendors’ issuance of patches and the company’s support of them. The CIO asked PwC to assess its patch management process and benchmark it against other energy companies. She wanted recommendations for specific process and technology improvements to lower risk and make the company’s patch process more efficient. Finally, her organization needed a way to prioritize critical systems controlling power distribution and supply over less critical internal file and print systems.
PricewaterhouseCoopers Advisory solution
PricewaterhouseCoopers (PwC) conducted Interviews with IT and business managers to understand the company’s business priorities as well as the impact of outages and patch-related downtime on the company’s ability to deliver service to customers. Using its patch management capability maturity framework, the PwC Advisory team assessed the IT organization’s people, policies, procedures and technology capabilities.
The capability framework addresses the major areas critical to the patch management process, such as policies, governance and change management. PwC benchmarked the energy company’s existing capabilities for each of these areas against those of other energy companies. Two key issues were identified from the patch management assessment: 1) There was no consistent patch process used for the corporate, subsidiary and branch locations of the company. 2) There was no repeatable and reliable methodology for testing patches for compatibility before they were deployed.
The assessment also uncovered risk management and asset classification issues that, if resolved, could alleviate some of the IT workload. By undertaking a risk assessment of each new patch, the IT organization could determine which patches required immediate deployment and which could wait for the company’s standard two-week change management windows. PwC also found that the company’s asset inventory failed to categorize assets by criticality. For example, there was no way to immediately determine which of the 1000 systems controlled power generation or the customer call center or basic file-print-email functions. By classifying its assets, the company would streamline the patch process by allowing the IT organization to focus first on the most critical systems.
For the vendor application systems that could not be patched due to vendor requirements, PwC recommended mitigating controls, such as changing network access control lists on routers, installing network intrusion detection and implementing host-based firewalls and intrusion prevention systems to add additional layers of control.
Impact on client's business
The CIO received a strategic roadmap outlining direction for a sustainable patch management solution. It included tactical recommendations for achieving short-term wins, such as undertaking risk assessment and asset classification as well as working around vendor application issues that left the organization vulnerable. With an overarching plan in place, the CIO was confident that subsidiaries and branch locations could follow company policies. As a result of PwC’s work, the CIO was also able to create a business case for investing in a patch management program. By training employees and implementing automated technology, the company would be able to strengthen its security posture and become industry leaders in patch management.
