One work-around that we did at the hospital I was at was to create a DMZ
for systems we were not allowed to patch. We had been given instructions
not to patch the FDA systems, specific vendor systems for support reasons,
etc.
So, we isolated those solutions as best we could, using our firewall. We
could regulate traffic in and out, minimizing the risk to our production
network and allowing people to still get their jobs done.
One of our apps, we ran through MS Terminal services on a Terminal Server
in the DMZ and only opened up the TS ports for the user. That worked
pretty well.
Sincerely,
Bryan S. Sampsel
LibertyActivist.org
jconrad@samc.com wrote:
Matthew,
We have a mixed environment, but mostly Windows. Each month we apply the
patches based on criticality, vendor input on their testing and
supportability, and minimizing down-time. We use St. Bernard's Update
Expert. IS reps coordinate reboot time with users after testing is
complete and the patch is applied. Any app that we can do outside of our
monthly down-time (mostly non-security related), we do. This varies by
system, but the fewer systems we have to patch/reboot at the planned
down-time keeps the variables to a minimum (i.e. why is this not working
anymore, what was changed last?). The down-time per system is short and
has come to be expected as a cost of doing business. We also have a
change control process to discuss potential impacts and work-arounds. In
general, most vendors are coming around on patching FDA systems, but some
big ones like Seimens are still a pain. Those systems remain unpatched
but have other controls or mitigating circumstances that reduce
the risk. Worst case is they will be taken offline if infected.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
