Matthew,
We have a mixed environment, but mostly Windows. Each month we apply the patches based on criticality, vendor input on their testing and supportability, and minimizing down-time. We use St. Bernard's Update Expert. IS reps coordinate reboot time with users after testing is complete and the patch is applied. Any app that we can do outside of our monthly down-time (mostly non-security related), we do. This varies by system, but the fewer systems we have to patch/reboot at the planned down-time keeps the variables to a minimum (i.e. why is this not working anymore, what was changed last?). The down-time per system is short and has come to be expected as a cost of doing business. We also have a change control process to discuss potential impacts and work-arounds. In general, most vendors are coming around on patching FDA systems, but some big ones like Seimens are still a pain. Those systems remain unpatched but have other controls or mitigating circumstances that reduce the risk. Worst case is they will be taken offline if infected. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
