7.4: Perform Automated Application Patch Management
Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Asset Type |
Security Function |
Implementation Groups |
---|---|---|
Applications |
Protect |
1, 2, 3 |
Dependencies
Safeguard 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
Safeguard 2.1: Establish and Maintain a Software Inventory
Safeguard 4.1: Establish and Maintain a Secure Configuration Process
Inputs
GV5
: Authorized software inventoryGV1
: Enterprise asset inventoryAuthoritative source of information indicating version details by product
GV3
: Configuration standardsGV24
: Authorized automated patch management software
Operations
Use
GV5
to identify authorized applications within the enterpriseUse
GV1
and the output of Operation 1 to identify the applications currently running on each asset (M1)- For each asset, compare the version of the application to that listed in Input 4
Identify and enumerate applications that are up to date (M2)
Identify and enumerate applications that are not up to date (M3)
- For each application idetified in Operation 2.2, determine whether there is a documented exception
Identify and enumerate applications with a documented exception (M4)
Identify and enumerate applications without a documented exception (M5)
- Compare
GV24
and Operation 1 Identify and enumerate applications covered by at least one automated patch management software (M7)
Identify and enumerate applications not covered by at least one automated patch management software (M8)
- Compare
- Check configurations of automated patch mangement software
GV24
usingGV3
Identify and enumerate those configured to run every 30 days or less (M9)
Identify and enumerate those not configured to run every 30 days or less (M10)
- Check configurations of automated patch mangement software
Measures
M1 = Count of authorized applications installed on an asset
M2 = Count of up to date applications installed on an asset
M3 = Count of applications installed on an asset that is not up to date
M4 = Count of not up to date applications with a documented exception
M5 = Count of not up to date applications without a documented exception
M6 = Count of
GV24
authorized automated patch management softwareM7 = Count of applications covered by at least one automated patch management software
M8 = Count of applications not covered by at least one automated patch management software
M9 = Count of automated patch management software properly configured to run every 30 days or less
M10 = Count of automated patch management software not properly configured to run every 30 days
Metrics
If M4 is greater than thirty, this safeguard is measured at a 0 and receives a failing score. The other metrics don’t apply.
Update Effectiveness (Per Asset)
Metric |
The percent of applications on an asset that are up to date
|
Calculation |
|
Update Effectiveness (Organizational)
Calculate the organizational metric by averaging the asset scores