During the server migration we've had some turbulence with respect to who should keep an eye on what and as a consequence some of our websites have gone unpatched (and there is at least one confirmed security incidence).
Historically this has had severe negative impact on a variety of our Wordpress sites, our Piwik installation, SSL certificates as well as our main Drupal site.
To ensure this does not happen again we should
a) Inventory all
- websites/servers we maintain
- components on these which may need monitoring for updates/patches
- ensure there is clear documented info for HOW these are updated patched
- ensure there is one person assigned with the main responsibility for keeping these up-to-date
b) For each component identified above. Ensure that drift@ is subscribed to the relevant feeds/lists for security announcements
c) Ensure that there is
- a schedule for regularly checking in to all of the identified components/websites/servers and updating them
- A protocol so that we can follow up on this having been done
- Time/budget set aside to ensure that this maintenance can be performed without competing for time with other responsibilities.
d) Ensure we have someone we can turn to (with rather short notice) when shit hits the fan and fixing the problem is beyond the skill set of our in-house staff.