![](/uploads/1/2/6/6/126665639/453085366.jpg)
First, many thanks to the person(s) who created this forum/site. Great place for discussion about the profession/business.I am a new member here and starting out PPO who returned to the security industry after many years working in another area. I didn't want to work for someone else while returning, so I went after the PPO license. I recently passed the exam and BSIS asked me to submit badge and patch designs along with the license fee.So, I have prepared the patch design, but the badge design requirement is a new thing for me.My question is – When I was in security, we didn't have a rule concerning badges (or maybe I didn't know ). Wearing a badge was not a MUST. And, still today with the rule in place, what I see is security officers with no badge, or wearing generic badges with no company name or employee number on them.
2.1 Elements of a Good Patch Management Program. Effectively created when personnel from IT, IT security, process engineering, operations. Details of how to build the plan and the related team within your company are. Systems, thus increasing the life of stand-alone legacy systems far beyond their original design. “Top 10” The best free antivirus program choices around today to help keep your devices (Computer, Laptop, Smartphones, Tablets, etc.) safe. Antivirus software is the “security guard” at the gate of a computer system. It protects your devices from incoming threats and seeks out, destroys and warns of possible threats to the system.
So, is this a new must requirement? I have already designed the badge, but do I HAVE TO submit it? And, if the rule is enforced, then how come all these officers working today for different companies still mostly only wear patches?Thanks. First, many thanks to the person(s) who created this forum/site. Great place for discussion about the profession/business.I am a new member here and starting out PPO who returned to the security industry after many years working in another area.
I didn't want to work for someone else while returning, so I went after the PPO license. I recently passed the exam and BSIS asked me to submit badge and patch designs along with the license fee.So, I have prepared the patch design, but the badge design requirement is a new thing for me.My question is – When I was in security, we didn't have a rule concerning badges (or maybe I didn't know ).
Wearing a badge was not a MUST. And, still today with the rule in place, what I see is security officers with no badge, or wearing generic badges with no company name or employee number on them. So, is this a new must requirement? I have already designed the badge, but do I HAVE TO submit it? And, if the rule is enforced, then how come all these officers working today for different companies still mostly only wear patches?Thanks.Yes,you must submit a badge and patch design or your app will not be completed.
Should you be audited by bsis and not in compliance, you'll be fined for every guard you have without it. It has to have your info and a individual number. So, I have prepared the patch design, but the badge design requirement is a new thing for me.My question is – When I was in security, we didn't have a rule concerning badges (or maybe I didn't know ). Wearing a badge was not a MUST. And, still today with the rule in place, what I see is security officers with no badge, or wearing generic badges with no company name or employee number on them. So, is this a new must requirement? I have already designed the badge, but do I HAVE TO submit it?
![Online Online](/uploads/1/2/6/6/126665639/359080785.jpg)
I don't know how long ago you use to work for Security but it is quite while for B&P codeUnarmed = No Badge Patch needed they may wear badge or patch or both. But not required.Armed (include baton) = Both Badge and Patch required and both have to be 'approved' by Director.
BTW, I hate it when people use abbreviations that I have no idea what they mean. Eg, PPO license & BSIS.When someone asks about BSIS or PPO or Business and profession code (B&P code), we instantly understand that question regards to Californiaeven they don't post Location on profile.sometimes I have to look their profile to see where they live (for generic topic)To me, it's hard to understand G license, B license, Z license or X license in FL.but If I don't understand it, it means I can't answer to that question. HOW TO DO A BADGE DESIGN:1. Get a screen capture utility like Faststone Capture (great!) - there are free ones but this one is worth the very modest price as it can even capture screen videos. I think they have a free evaluation version you could use just to accomplish this mission.2.
Select a badge design, and step through the process of designing your badge. You will see it magically appear on screen as you add the 'print' elements to it, choose a seal, etc. If you want, you can play around with a jillion ideas and designs.4. This application does not let you save the picture - hence, the screen capture program. Any capture program will let you select the area to capture, so select the area with the badge and capture it. Faststone will automatically do the capture once you're done selecting the area.5. Save the screen capture.
Each capture program is a bit different about how to do this. Faststone will automatically open the captured image in its own editor, where you could do a lot of things like crop, rotate, etc. But all you need to do in this case is click 'Save As', name the file you're saving, and you're done. With Faststone you can save the image in a lot of different formats, but JPG is probably fine for your purposes.6. Submit to BSIS along with your other stuff. I believe this design, for instance, meets my understanding of BSIS requirements for badge design (company name and badge number).
You could insert a California state seal if that's required.I just did this one in less than three minutes to show you what you get (I added all of the text you see - obviously you would choose your own). Apologies to Williams Patrol Service, if one exists. Not sure if my Latin's correct either.
HOW TO DO A BADGE DESIGN:1. Get a screen capture utility like Faststone Capture (great!) - there are free ones but this one is worth the very modest price as it can even capture screen videos. I think they have a free evaluation version you could use just to accomplish this mission.2. Select a badge design, and step through the process of designing your badge. You will see it magically appear on screen as you add the 'print' elements to it, choose a seal, etc.
If you want, you can play around with a jillion ideas and designs.4. If you are a windows user press the 'print screen' button on your key board.5. Open mspaint.exe and hold 'Crtl' while pressing 'V,' then use the paint croping tool to isolate the badge from the rest of the picture. Submit to BSIS along with your other stuff. I believe this design, for instance, meets my understanding of BSIS requirements for badge design (company name and badge number).
Your badge and patch must contain word ' Private Security' (not just 'Security') among with full name of company.Word 'Private Security' required for only Patch not badge.So, your PPO application had completed, Mr. HOW TO DO A BADGE DESIGN:1. Get a screen capture utility like Faststone Capture (great!) - there are free ones but this one is worth the very modest price as it can even capture screen videos. I think they have a free evaluation version you could use just to accomplish this mission.2. Select a badge design, and step through the process of designing your badge.
You will see it magically appear on screen as you add the 'print' elements to it, choose a seal, etc. If you want, you can play around with a jillion ideas and designs.4. This application does not let you save the picture - hence, the screen capture program. Any capture program will let you select the area to capture, so select the area with the badge and capture it. Faststone will automatically do the capture once you're done selecting the area.5.
Save the screen capture. Each capture program is a bit different about how to do this.
Faststone will automatically open the captured image in its own editor, where you could do a lot of things like crop, rotate, etc. But all you need to do in this case is click 'Save As', name the file you're saving, and you're done. With Faststone you can save the image in a lot of different formats, but JPG is probably fine for your purposes.6. Submit to BSIS along with your other stuff. I believe this design, for instance, meets my understanding of BSIS requirements for badge design (company name and badge number). You could insert a California state seal if that's required.I just did this one in less than three minutes to show you what you get (I added all of the text you see - obviously you would choose your own).
Apologies to Williams Patrol Service, if one exists. Not sure if my Latin's correct either.
Brien Posey, in, 2009 Publisher SummaryPatch management is critical to the security of computers on a network. Keeping the computers up-to-date can keep hackers from using well-known vulnerabilities to exploit the network. However, patching is not a one-time process. One needs to create a scheduled scan that will routinely check for missing patches, so that one can keep the computers on the network up-to-date. Before applying any Microsoft updates, one has to perform a scan to find out which updates are missing from which computers. It is worth mentioning that this is not a one-time process.
Each time there is a plan for deploying updates, one will have to perform a new scan. This is one of the main reasons why GFI LANguard Network Security Scanner supports the use of scheduled scans. One can easily schedule an automated scan that will scan the network for missing patches on a periodic basis.
That way, when one wants to apply patches, the scan is already done. Scans should be scheduled to run late at night so that they are not disruptive to the end users. However, this will only work if the users leave their computers turned on at night. The users do not have to stay logged in in order for the scans to be completed successfully. Patch management is the discipline of ensuring fixes to software bugs, otherwise known as patches, are applied in a timely manner while maintaining the service being provided.
The key elements an organization should look to be included in the Cloud Service Provider’s Patch Management Policy are ▪How often patches are applied? ▪How the provider will manage emergency or critical patches? ▪That the provider has outlined the level of testing that is required before applying patches ▪Who within the provider authorizes the application of the patches, and will the customer organization have any input into this thought process?
▪How does the Cloud Service Provider ensure patches are centrally controlled, distributed, and applied? ▪The policy should also provide clarification as to roles and responsibilities for applying key patches and updates to the various systems and platforms within the service provider and where the demarcation lies for patches within the customer’s systems. Patch management is an unfortunate fact of life. No matter how well-architected and designed software might be, that software is created by humans and humans are not, and will never be, perfect. However, Microsoft continues to improve security in its platform and works on the principle of continuous improvement.
One of the major improvements in the area of patch management is the new version of Windows Server Update Services (WSUS) included in Windows 8. You will see improved reporting and control of updates applied to both servers and clients in your organization.
Figure 1.7 shows an example of one of the screens in the new WSUS feature. In this chapter, we will talk about what is new in WSUS, how to deploy the Windows Server 2012 WSUS, and how to get the most out of your advanced WSUS deployment ( Figure 1.8).
Knapp, Joel Thomas Langill, in, 2015 Patching as a form of Vulnerability ManagementPatch Management, as it has been traditionally defined, addresses the notification, preparation, delivery, installation, and validation of software hotfixes or updates designed to correct uncovered deficiencies. These shortcomings may not only be related to security vulnerabilities, but also software reliability and operational issues.
Patch management, in the context of risk reduction, is a means of reducing vulnerabilities in an effort to reduce the resulting risk of a particular target. The idea is that if you can remove vulnerabilities from a system, then there is nothing for a threat to exploit and no resulting consequences to your system or plant operation. This sounds simple; since performance and availability are our first priority, and patch management addresses these concerns while at the same time helping to secure the system, it should be deployed on all systems.
Not necessarily!There are many facets to this dilemma, probably all worthy of a book devoted solely to this topic. On the surface it makes perfect sense, but as a long-term strategy it can be argued that it is a “reactive” approach to security—one of defensive tactics, rather than proactive offensive strategies. After all, you are patching what is “known” to be weaknesses yesterday and today, so even after you deploy the updates, new ones WILL be discovered tomorrow! “All programmers are optimists.”— Fredrick P. Brooks, Jr.Patch management is a component of configuration management where you are responsible for ensuring that patches are applied to computers as directed by a company’s policies and procedures. Generally, when a patch is released, individuals in Vulnerability Management roles will identify the urgency of releasing the patch based on the vulnerabilities it addresses and the systems to which it applies. Once the patches that need to be released are identified, those in Patch Management are responsible for ensuring that the patches are tested before release, if possible, and then applying the patches to the appropriate systems.Depending on the devices being patched, various tools may be used to manage the process, such as Microsoft’s System Center Configuration Manager (SCCM) and SolarWinds Patch Manager.
You may be responsible for a single platform (such as those workstations running Microsoft Windows) or multiple platforms.This is the type of job that can be very monotonous in its duties but, if you take some initiative, it can provide you with many opportunities for learning. Craig Wright, in, 2008 Patch ManagementPatch management is covered throughout the book. Although many people decry the need to catch systems and manage vulnerabilities, without this control no system is likely to remain compromised on the Internet for more than a week. There are many stages to patch management. First the organization needs to identify the patches that it needs to apply. Once a patch has been identified it needs to be tested to ensure that it will work correctly in the environment that it is going to be running in. Many systems run multiple applications and it is not uncommon for patches on one application to cause detrimental effects on another.The next consideration is the rollout of the patches.
This is a relatively simple process when only a small number of machines (such as servers) are involved. In the event that application patches need to be rolled out to user workstations in a variety of different contexts, this can result in significant deployment challenges.
In particular some of the major considerations that need to be addressed include: ▪Mobile systems such as notebook computers that may only connect to the network over a slow link or only connect at periodic intervals, ▪Systems that have been powered-off such as user workstations that are being shut down overnight. Newer systems with a power on LAN capability pose less of an issue, ▪Compromised systems are a serious problem. The systems may need to be patched but the process of the system being compromised may have also rendered patching more difficult.Roll back procedures also need to be considered as part of the patching process. It is impossible to test all contingencies and there are occasions where it will be necessary to remove a patch after the patch has been installed.
Vic (J.R.) Winkler, in, 2011 Patch ManagementA formal patch management process is a key to ongoing security. With a public cloud you are relying on the cloud provider to patch their systems, but your data may be at risk until they do. This is of paramount importance when you are talking about patching the foundation, such as virtualization-level vulnerabilities. But operational VMs may also require patching, and that can become interesting. The sheer number of VMs in a virtualized cloud makes patching all VMs unrealistic. Virtualization brings new opportunity to the traditional patch process since it is easier to patch a golden image and then copy customer components to a copy of that image.
Williams, in, 2014 Security and Patch Information KnowledgeA key component of patch management is the acquisition and analysis of knowledge and related information about security issues and patch releases, because IT personnel must know which security issues and software updates are relevant to the organization’s environment. Organizations should have personnel responsible for keeping up to date on newly released patches and security issues that affect the systems and applications in its environment. These personnel should be part of the change management process and should take the lead in alerting administrators and users about security issues or updates to applications and systems the organization supports and uses. A comprehensive and accurate configuration management system can help determine whether all existing systems are accounted for when researching and processing information on patches and updates. Ideally, an organization should have contacts with their operating system, network devices, and application vendors to keep up to date on the release and distribution of information about product security issues and patches. Eric Seagren, in, 2007 Change ManagementAlthough change management and patch management are related, they are not the same thing.
Patch management is a subset of change management and refers to applying patches specifically. Change management is much broader in that it encompasses any type of change to the existing environment. The change that is being managed could include the installation of new software or hardware, or a modification of settings with a system to alter the functionality. The objective of change management is to handle changes in a controlled fashion that minimizes risk.
There are many things that can go wrong when implementing a change; however, a proper change management strategy can help mitigate many of those risks. Change Causes DisruptionThe biggest and most obvious risk when implementing change is that it may cause a service disruption. We are all probably familiar with this type of complication arising from a change. We applied the update and suddenly the server was unreachable. This could be a total loss of functionality, such as when the network drivers get corrupted, or a partial disruption, where only a portion of functionality is lost.
In either case, the downtime can cost significant loss of revenue, or real dollars (paid to consultants or vendors) to correct, not to mention the headache involved in troubleshooting the problem. Remember that some of these risks are entirely avoidable, while others are not. There really is no way to know if a network interface card on the server is going to quit working when you reboot the server, but having a spare one on hand can really help. In some cases, the changes themselves may work perfectly, but due to a lack of proper change management, multiple changes occurring simultaneously could interfere with each other.
![Patch maker software Patch maker software](/uploads/1/2/6/6/126665639/649329019.jpg)
For example, if you are upgrading the Internet connection, another technician may not be able to perform an upgrade using software that is downloaded over the Internet. Inadequate Documentation Can Exacerbate ProblemsThere are still more ways an inadequate change management system can cause problems.
Imagine a co-worker installs a new switch, tests the connectivity, and then heads home. The next day, an entire group of systems become unavailable. You suspect that all the systems might be connected to the new switch but there is no documentation of the change. You don’t know which systems are using the new switch, or what ports they are connected to. You now have to spend precious time trying to learn what the current environment is before you can even begin to troubleshoot the real issue. This is an example of how the change itself might not be the cause of an outage, but without proper documentation and procedures in place, changes can still negatively impact the functioning of the network. To mitigate these risks, the best practice is to develop a change management strategy.
Change Management Strategy. The first step to implementing changes in a controlled fashion is to review and assess the changes that are needed. In some cases, this may be a relatively informal process conducted by a single individual. In a larger organization, this could actually be implemented by a committee and include formal meeting minutes that are made available to upper management. You will need to find a level of sophistication that suits the needs of your organization. The purpose of this phase is to identify the changes that are needed, determine how badly they are needed, and determine what level of process needs to be used for their implementation.
You probably don’t want hours of reporting and meetings because someone wants to change their screensaver. The changes need be prioritized, which is somewhat subjective but includes consideration such as the following: ■The impact and risk of not implementing the change.
Will business be impacted? Will real dollars be lost or will it only be an inconvenience for employees performing some processes? ■The risk that applying the change might negatively impact service. What are the odds of this change breaking something?
How complex is the environment? How well documented and understood is the environment?
■The criticality of the host/system affected by the change. How key is the affected device to the business process? ■Nontechnical considerations. If the change breaks something, will the disruption be visible to the customer? Will there be a loss of customer confidence or business?All these considerations will lead to the second phase, which is scheduling. I have seen many examples where the risk of making a change was simply too high, and the decision was made to simply live with the risk.
You prioritization and deadlines can probably be very similar to that of the aforementioned patch management process.Only after you have analyzed the priority of the changes can you schedule them. Typically, a business will have more than one change window, depending on the urgency of the change. Minor changes to noncritical systems may be acceptable during any nonbusiness hours, while critical systems may only have a change window of a couple of hours each week to apply changes. A change window is the accepted time frame for implementing changes.
This phase is best accomplished with multiple stakeholders working together. This allows for various initiatives to be scheduled without creating a conflict between them. The scheduling stage will work best if you can provide input and buy-in from representatives from multiple lines of business.Scheduling could also be impacted by nontechnical considerations that the technical staff may not be aware of. Perhaps a new advertising campaign is being initiated on the first of the month and traffic to the corporate Web site is expected to rise sharply. In this case, applying an operating system patch on the server the night before might not be a good idea. It is for these reasons that the person scheduling the changes should not work in a vacuum, but instead seek cooperation from the appropriate parties.
In a smaller environment, these types of scheduling conflicts are less likely to occur, but you should be aware of the potential and take steps to avoid it. By having all the critical groups represented during the scheduling phase, or at the very least informed of the schedule, you can minimize the risk of a scheduling conflict. Documenting changes is one of the most commonly overlooked or inadequately performed steps. This is especially true when in the middle of a crisis and restoring functionality is the highest concern. A well-documented change is far more likely to be successful than one that is not.
This is true not only because someone may need the documentation later, but also because the process of completing the required documentation may cause one to consider some facet that may have otherwise been overlooked. Although change documentation will be different for each organization, there are some elements that all change documentation should have in common. These are outlined here: ■Change Schedule The change schedule will have the time and date the change will be implemented, including when the changes will begin and end. It should also include a back-out time, which is a time after which the change either must work, or the change is undone.
To continue working on an unsuccessful change after the back-out time typically requires senior management approval. ■Testing This section should include the procedures used to test the change.
In some cases this may be simple; in others it may be a very detailed section requiring its own set of documentation. This section explicitly states the manner in which you will measure success of the change. This section also serves to show that the person implementing the change performed their due diligence in testing the change, should a problem arise later. ■Backout Plan This section will detail what steps will be needed to reverse the changes. In some cases this section may seem trivial, while in a more complicated change it may be very difficult to undo the changes.
For example, if you upgrade a third-party application on a Web server, there may be no means to undo the upgrade other than to restore from tape, which will likely take a considerable amount of time. The steps involved in the back-out plan will be used to determine when the back-out threshold should be. For example, if your change window for Web servers is 1:00 A.M. And it will take three hours to back out the changes (by restoring the server from tape), your back-out threshold would be no later than 3:00 A.M. ■Contact List The contact list is a listing of all relevant stakeholders. This includes who will be making the changes, who will be testing the changes, and who they report to.
This list should also include who should be contacted in the event of an emergency, and possibly the project manager for the effort. It is a good idea to also note the expected means of communication. For example, if the senior network manager expects an e-mail in his inbox after the change is successful, this should be noted as well. This helps ensure that these details are not forgotten. ■Sign-off This is one of the key sections. Not only subject matter experts but also stakeholders should provide their written approval. This could include line-of-business representatives who are not technical as well.
This provides assurance that everyone who may be impacted has been represented and is in agreement with the change.All of these procedures should have a plan for dealing with emergency changes. By definition, an emergency change is a needed change that was not planned for. This often means adequate testing and planning has not been done but the risk still may be acceptable if the alternative is less desirable.
These changes can occur when a system is unreachable unexpectedly, or if you are actively being attacked by a hacker. There should be alternate procedures for implementing a change that enable one to expedite the process. Emergency change procedures should be well documented. Special consideration should be given with regards to how one seeks approval for an emergency change and who has the authority to approve emergency changes. With well-established change procedures in place before implementing a change, you can minimize the risk caused by implementing emergency changes. If a service disruption does occur, you will also be more prepared for dealing with it in a timely fashion.
Debra Littlejohn Shinder, in, 2013 Using Group Policy to Configure WSUSOne of the biggest challenges for patch management is to ensure that you have a policy enforcement that dictates how the computers of your network will behave when new updates are available to be installed. While planning the overall strategy, you need to understand your target, the potential scenarios, and also what is an acceptable amount of time to wait to install updates after they have been released.
You need to understand if there are other policies in the environment that might cause conflicts and make sure that patch management is not sacrificed by those. For example, if you have a policy that dictates that all users should shut down their computers during the night shift, then you cannot force updates to happen at night, in spite of the fact that this is the best time to update the computers since they are not in production.Windows Server 2012 Active Directory offers the same capability as its predecessor for updating computers. The policies are the same and the configuration also has not changed. To apply an update policy to all client workstations to use the corporate WSUS Server, read the scenario below and follow the steps. ▪If the computers on the financial department are in sleep mode, the update management process should wake up the systems. ▪Updates should be downloaded and installed automatically every day at 2 A.M. ▪Obtain updates from the new WSUS Server.
▪Updates should be installed immediately after the download. ▪If there are users logged in the computer during the update installation, the restart of the computer should be notified and not forced. ▪This update policy should not affect other computers in the organization. Confirming that the changes were correctly done.
6.After confirming that those policies were correctly configured, close this MMC and click No when it asks if you want to save it. 7.On the command prompt window, type net stop wuauserv to stop Windows Update Service and press ENTER.
8.Once if finish stopping, type net start wuauserv to start Windows Update Service and press ENTER. 9.On the toolbar, click on the Address field, type Control Panel, and press ENTER. 10.On the Control Panel, click System and Security, click Windows Update, and click Check for Updates.
![](/uploads/1/2/6/6/126665639/453085366.jpg)