In the last few years we used to do windows updates quarterly on our production servers as required by PCI DSS. In the last year though, we’ve had to do updates every single month due to critical CVEs needing to be patched. It’s becoming ludicrous actually, yet they’re cutting security folk.
Think we patch monthly regardless in and outside of PCI scoped environments. The issue recently is that customers want even more frequent patches, like within a few days of the CVEs
In the last few years we used to do windows updates quarterly on our production servers as required by PCI DSS. In the last year though, we’ve had to do updates every single month due to critical CVEs needing to be patched. It’s becoming ludicrous actually, yet they’re cutting security folk.
Think we patch monthly regardless in and outside of PCI scoped environments. The issue recently is that customers want even more frequent patches, like within a few days of the CVEs