You have considered and decided on a policy for installing security patches. For example, you may decide to install all security patches as soon as they are made available. Or, if your line of business or back office systems are old, uncommon or heavily customized, you may have a policy of testing each security patch against your software to ensure that it will still work properly.