3.5: Deploy Automated Software Patch Management Tools

Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.

Asset Type

Security Function

Implementation Groups

Applications

Protect

1, 2, 3

Dependencies

  • Sub-control 2.1: Maintain Inventory of Authorized Software

Inputs

  1. From the authorized software list (ASL; sub-control 2.1), information on the current authorized version.

  2. Access to an authoritative source of information indicating version details by product.

  3. A list of approved exceptions, noting any reasons that an authorized software package does not match the latest version.

Operations

  1. For each software in Input 1, list the software products which do not match the latest version as described by Input 2.

  2. For each endpoint, obtain the current software load (the list of installed software).

  3. For each endpoint, list the installed software that does not match the current authorized version from Input 1.

  4. For each software product listed in Operation 3, list any that exist in the approved exceptions list (Input 3).

Measures

  • M1 = List of authorized software products installed on the endpoint which are not at the latest version.

  • M2 = Count of M1

  • M3 = List of authorized software products installed on the endpoint.

  • M4 = Count of M3

  • M5 = List of authorized software products installed on the endpoint which are not at the latest version, but have approved exceptions.

  • M6 = Count of M5

Metrics

Update Effectiveness (Per Endpoint)

Metric
For a given endpoint, calculate the ratio of installed software updates to the
total number of required software updates.

Calculation
If M2 == 0, this indicates the endpoint requires no software updates.
If (M2 - M5) == 0, this indicates the endpoint requires software updates,
but the out-of-date software has an approved exception.
Otherwise, this metric is calculated as (M2 - M5) / M4

Update Effectiveness (Organizational)

The organizational metric is calculated by averaging the results of the “per endpoint” metric above.