COI Report –
Part VIIPage
379 of
425 46.2 The patch management process must provide for oversight with the reporting of appropriate metrics 1103. Once again, it must be highlighted that patch management cannot be a merely theoretical exercise. Processes must be in place to ensure that patch management policies are understood and complied with.
In this regard, it is important for thereto be a system for the recording of patch management metrics, and regular checking of said metrics to ensure that patch management policies are effective.
1104. It is almost impossible to set appropriate patching objectives and check if said objectives have been achieved without using a set of appropriate metrics. The metrics will also offer a wealth of information to security staff, and allow them to communicate more meaningfully with management and others about the status of the organisation’s patch management policies. The status of an organisation’s patch management must be measured
using objective metrics, and cannot be left to subjective and unreliable judgements about the efficacy of implementation efforts.
1105. IHiS should undertake a comprehensive review and determine what metrics would be meaningful and feasible to track and regularly analyse. At a basic level, the following metrics with clear timelines should be considered:
107
(a) Number of machines scanned b) Number of machines not scanned c) Number of patches found and d) Number of patches not found. SANS Institute,
“Patch Management
and the Need for Metrics, SANS Institute Reading Room, July
2004.
COI Report – Part VII
Page
380 of
425 1106. Furthermore, the collected metrics and analyses thereof should be subject to regular management oversight. IHiS should review and determine which body would be the most appropriate to have oversight of this function. The policy should set out explicitly what
the lines of reporting are, who has responsibility for reporting, and how regularly reports on metrics should be issued. It is suggested that there be two concurrent lines of reporting to a) Director, Delivery Group – This is to ensure oversight of the personnel managing
the systems and applications, as they should be the ones with the primary responsibility to ensure that patches are applied and b) Lead, SMD – This is to ensure oversight from a security perspective, so that there can be heightened security monitoring even as systems and applications are waiting to be patched,
and also so that generally, vulnerabilities and lapses can be picked up and addressed by staff with a dedicated cybersecurity portfolio.
Share with your friends: 
