10 Best Practices for Credit Union Patch Management

After several years of doing it ourselves, my partner and I broke down…

We hired a house cleaner. We also brought in a landscaper to rake our pine needles and keep our shrubs in check.

Ultimately, we realized that it takes the pros less time to do a more thorough job. And, though it costs a bit extra, we feel the expense is more than justified by the extra time it affords us. It means more quality time for day trips, long bike rides, and other chores. (Mostly other chores.)

All that brings us to today’s Fintech Friday topic:

Patch management for credit unions.

Special thanks to Ongoing Operations for lending us some expertise!

 

What Is Patch Management?

Patch management is the process of downloading new bits of code—“patches—to update software and systems. These updates reduce and eliminate vulnerabilities that hackers can exploit.

In short, patches fix weaknesses in software. Patch management makes sure those patches are applied.

Patches often update features and functions as well. So, it’s not always about security. Sometimes, patches simply make systems run faster or do more things.

In credit unions, frequently patched areas include operating systems, applications, and embedded systems (like network equipment).

 

Patch Management Best Practices

We spoke with Ongoing Operations, a CUSO that has been providing managed patching to credit unions for over a decade. They offered a list of 10 best practices for patch management:

  1. Maintain a consolidated and up-to-date software inventory. The saying goes, “you can’t manage what you don’t measure.” Similarly, you can’t patch what you’re not aware of.
  2. Stay up to date with security updates from vendors. You may want to subscribe to automated notifications from vendors to make sure you don’t miss anything.
  3. Create a defined patch management policy. Not only does this set a good, repeatable precedent, but it also shows regulators that you’re on top of things.
  4. Prioritize patches the right way. You should evaluate the risk of the vulnerabilities to your credit union and patch systems based on your defined SLAs for vulnerability remediation. Then, document your risk-based prioritization, especially if you opt out of any given patch, to demonstrate the why behind your choices to regulators. (Paper trails are always good.)
  5. Maximize the speed of deployment. This will help you minimize business impact, such as downtime or slowed system performance, especially during business hours. Also, be sure to test patches on a pilot group or non-production environment to evaluate the impact before pushing everything live. You should still patch as fast as possible, but this precaution will help with item #9!
  6. Centralize and automate patch management. Automation will dramatically increase the speed and reliability of your patching. Centralization ensures that patching is aligned, easy to manage, and not haphazard.
  7. Patch third-party applications on par with operating systems. Third-party software is often one of the NCUA’s supervisory priorities.
  8. Integrate with vulnerability management for comprehensive risk mitigation. In fact, all patching is holistic and should extend through other areas of risk management and business continuity. For example, make sure that patches are installed in your disaster recovery failover as well as your live environment.
  9. Have a rollback plan in place. This will help you mitigate unintended consequences, such as introducing new vulnerabilities or affecting system performance.
  10. Take precautions for patch-exempted endpoints. Smartphones included. Again, a paper trail is always a good thing to have.

Patching isn’t glamorous work, but it’s vital to the function of credit unions. Working technology is the foundation upon which digital transformation is built.

Moreover, security is the most important thing to members. In tech poll after tech poll, we’ve seen “security” trump other high-impact member experience things like convenience, ease of use, and personalization.

 

How Is Patching Like Hiring a House Cleaner?

Patching itself isn’t like hiring a house cleaner, actually. But Ongoing Operations did explain why they know so much about successful patch management for credit unions:

They offer managed patching.

“Managed patching” is where they download and install patches for you according to best practices.

It doesn’t cost much, and it frees up your team for… other chores.

If IT time is at a premium, managed patching removes that burden. It also ensures compliance—one less potential headache.

 

Additional Resources

Like what you’ve seen so far? Sign up for our Fintech Call Program and get a personalized, 30-minute call each quarter. We’ll discuss the latest technologies and solutions, make key introductions, and offer early access to events, giveaways, and more!

And of course, please subscribe to our blog (if you haven’t already)!