This is kind of a confidential thing, so feel free to PM responses to me.

I'm working on an audit of IT policies, and I'm wondering what others are doing with regards to patches for devices such as routers and switches. Specifically does your policy mandate patching devices inside your firewall(s) or only those outside the firewall(s)?

Whether “Patch Management” is a subset of a different IT Policy or its own standalone policy, a Patch Management Policy should address any hardware system or software system that is able to be updated with a more current, more robust, more stable, more secure, etc. version and that is within the company’s responsibility demarcation (i.e. you are not responsible for patching your ISP’s routers).

With that in mind, whether a device or system is inside or outside your firewall becomes irrelevant.

-g

Step back from the router!

We are outsourced with the entity handled those issues, thank God.

I hear ya Paragon . . . but as you know, you have to stay on your toes. Citibank (link to article below) was under contract with a vendor to handle "those" kinds of issues - but something slipped through the cracks - like 120,000 customer records . .

http://www12.mainichi.co.jp/news/mdn/search-news/900121/citibank-0-1.html

-g