Patch Management archives - IT Trenches
Home > IT Blogs > IT Trenches >

IT Trenches:

patch management

Jul 28 2009   3:11PM GMT

Open Patch Management Metrics Model Released



Posted by: Troy Tate
Microsoft, patch management, Metrics, framework, maturity model, patch management framework, research, asset management, lifecycle management

Securosis and Microsoft have teamed up and released an Open Patch Management Metrics Model. The purpose of this model is to  “provide organizations with a tool to better understand their patching costs.” The model also has ten steps with multiple substeps to help guide an organization through a patch management process framework.

The document can be found on the Securosis website. More information will be released as the model matures and additional organizations contribute to the research. Let the ITKE community know your thoughts on this model and if the metrics are meaningful to your organization.

For myself, I think that the metrics would be good to gather but would be a challenge to maintain when we are always being challenged to do more with less.

Thanks for reading & let’s continue to be good network citizens!

AddThis Social Bookmark Button     0 Comments     RSS Feed     Email a friend

May 22 2009   3:24PM GMT

The Center for Internet Security defines security metrics



Posted by: Troy Tate
Center for internet security, CIS, Security, information security, information security metrics, Metrics, security metrics, application security, change management, incident management, patch management, vulnerability management

As an information security manager I am always struggling with how to measure the security posture of my organization. As they say, you can’t manage what you can’t measure. There’s lots of talk out there about ROI (Return on Investment) or ROSI (Return on Security Investment). These may be business numbers for the bean counters but what do these really mean to the security posture of the organization.

The CIS worked with over 100 team members from government, private and academic organizations to design a set of metrics designed to measure security processes and outcomes. The list below shows some of the business functions covered by the current suggested list of metrics.

  • Application Security
    • Number of Applications
    • Percentage of Critical Applications
    • Risk Assessment Coverage
    • Security Testing Coverage
  • Configuration Change Management
    • Mean-Time to Complete Changes
    • Percent of Changes with Security Review
    • Percent of Changes with Security Exceptions
  • Financial
    • Information Security Budget as % of IT Budget
    • Information Security Budget Allocation
  • Incident Management
    • Mean-Time to Incident Discovery
    • Incident Rate
    • Percentage of Incidents Detected by Internal Controls
    • Mean-Time Between Security Incidents
    • Mean-Time to Recovery
  • Patch Management
    • Patch Policy Compliance
    • Patch Management Coverage
    • Mean-Time to Patch
  • Vulnerability Management
    • Vulnerability Scan Coverage
    • Percent of Systems Without Known Severe Vulnerabilities
    • Mean-Time to Mitigate Vulnerabilities
    • Number of Known Vulnerability Instances

Take some time and visit the CIS metrics page or download the consensus security metrics (registration required). You may find some useful tools in building and supporting an information security program for your organization.

Thanks for reading & let’s continue to be good network citizens.

AddThis Social Bookmark Button     0 Comments     RSS Feed     Email a friend