GB965 CyberOps Quick Start Guide: Patch Management V0.11

The basic proposition put forward is that 80% of the root causes of security incidents from cyber-attack and risks can be mitigated with doing the basics well. By Pareto Rule, 20% of possible mitigations should give us an 80% impact. Since this proposition has emerged from the natural work of multiple worldwide security response teams, and, since the organizations that certify international security best practices have published work in material agreement with this proposition, the TM Forum Cyber Ops Metrics project team chose to address the question, …What specific 20% of all activities we could undertake to improve security can provide the most overall benefit, ideally 80% or more?

The project champions recognized managing the response to security vulnerabilities and vendor software releases as a key risk mitigation strategy. The project team independent evaluation of multiple outside best practices and certification courses clearly justifies patch management as a best practice strategy within the 20% target. Requirements put forth by the project champions included defining KPIs that: could be instrumented systematically, encourage good behavior (process improvement), and are implementable across a supply industrial base with nested and networked connectivity, not only a traditionally simple cascaded supply chain .

This Quick Start Pack intends to offer its audience best practice guidance with a set of KPIs that can be applied as is, or at least provide a starting point for discussion. The KPI prescribed within this document will not solve all patch management problems. They are intended to assist in identifying where you can probe deeper into your process and make improvements for security, specifically. Some metrics are also more broadly useful.