Patch Management Audit Checklist

Checklist Measuring patch management metrics. At this point, most organizations of any size have implemented some type of patch management program usually including the associated tools. A smaller subset has taken things a step further and rolled out full fledged vulnerability management programs. No matter where your company is in the process, its important to consider how youll measure the progress of your efforts. By submitting your personal information, you agree that Tech. Target and its partners may contact you regarding relevant content, products and special offers. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. The value of metrics and measuring performance is well established in the IT industry, though given patch managements relatively recent emergence, measurement is not as widely adopted in this space. Patch Management Audit Checklist' title='Patch Management Audit Checklist' />To get a good handle on ROI and the effectiveness of your patch management program, you should be tracking and analyzing key performance indicators. So, what are the indicators From a broad perspective, you should track information in several areas adjustable based on each particular environment. To keep things simple and applicable to multiple scenarios, well divide them into the following categories Checklist Measuring patch management metricslt d Coverage. This metric category refers to the number or proportion of systems that any particular patch effort is able to cover. Coverage is one of the most important metrics, since it relates directly to the amount of risk that exists and is addressed. An accurate asset management system produces the ideal baseline for this measurement, though ad hoc scanning will also produce useful results. At a program level, you can use the coverage metric to track the number of systems and applications that are covered by any given patch management tool e. Effort. This measurement tracks the level of effort expended for each patch. Typical items covered in this category are the number of support calls a patch generates, the amountof man hours involved in deployment and the number of in person visits required manual intervention versus automated deployment. Speed. There are several dimensions to the speed category. One metric tracks how quickly a patch is deployed after the vendor releases it. If the patch is a security update and there is an exploit available, this can be referred to as an exposure or vulnerability window. Another component of this category measures the amount of time it takes to roll out the patch in your organization. This is most often measured in increments for example, the amount of time it takes to patch 5. Impact. Business owners show a lot of interest in this metric. Impact refers to the impact on your organization measured most often in terms of downtime and failures related to patch deployment. Organizations with a mature risk management program can also measure impact in terms of revenue or similar means. Quality. This is somewhat related to the effort category, but is important enough to break out on its own. Quality metrics include time spent testing installation and backout plans and the percentage of successful installations. Of course, each organization puts its own value on particular metrics. Regardless of the metrics you choose to measure, its important to build appropriate reporting and tracking mechanisms into your patch management process. Doing so will move your organization forward not only in the patch management discipline, but also in overall risk and vulnerability management. Implementation Summary. This followup report on the implementation of management action plans concludes the internal audit process and outlines the measures taken by. Section 1 Introducing Configuration, Change, and Release Management 5 Section 1 Introducing Configuration, Change, and Release Management This section provides a. InformationWeek. com News, analysis and research for business technology professionals, plus peertopeer knowledge sharing. Engage with our community. About the author Jason Chan serves as a co moderator for the patchmanagement. He has written articles for publications such as Sys. Admin Magazine and Computer Fraud and Security. He has been a security consultant for over six years. In this role, Chan works with many of the worlds largest enterprises to help ensure the security of their digital assets. Prior to consulting, he worked in the Information Warfare Engineering group with the U. S. Navy Space and Naval Warfare Center. Sparkle Brush Photoshop more. Ask Jason Chan your patch management questions. More information from Search. Windows. Security. Step by step Guide Patch management must do list. Article Dont have a patch attack. Tip Stay on top of automated patching.