Do you have scheduled fixed day(s) of a month for downtime to patch each critical system?

Security, Engineering Do you have scheduled fixed day(s) of a month for downtime to patch each critical system?

Pulse User

Patch agents are receiving patches and updating systems 24/7, the only scheduled activity is a reboot if systems are going more than seven days without restarting 

Pulse User

As needed, and also regular schedule like MS patch Tuesday.

Pulse User

Patch scheduling depends on severity (CVSS score). Most are fixed during scheduled maintenance windows, but high and critical are dealt with as needed to remediate as quickly as possible.

Pulse User

Depends on the criticality of the vulnerabilities. We can do urgent immediate patches if necessary outside the cycle.

Pulse User

I answered no, because it's not a fixed day of the month.  Rather, we have a weekend each quarter where we negotiate a quarterly IT outage.  In our work on patching what we found was that it was far easier to hold individual applications accountable for finding their own downtime (negotiating the specific duration/date of each outage with their business customers).  But when broader outages were required (think core switches and routing, shared VM infrastructure, etc) that impacted multiple applications -- and maybe multiple critical applications -- it was easier to pre-plan these weekend outages for the year.  Our experience was that initially these outages were more impactful to systems because we were dealing with a lot of deferred maintenance.  But after the first year (4 weekends) the impacts were much more limited in scope (in general).   Our biggest learning was that it was much easier to negotiate the weekends that we needed a year in advance (and then continually remind people that they were coming up!), and that we always had work that needed to be done.  Also, having these scheduled outages allowed for better coordination of support staff when bigger changes were necessary.