3.5: Deploy Automated Software Patch Management Tools
Sub-control 3.5 states that you must deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.
| Asset Type | Security Function | Implementation Groups |
|---|---|---|
| Applications | Protect | 1, 2, 3 |
Dependencies
-
Sub-control 2.1: Maintain Inventory of Authorized Software
Inputs
-
Authorized Software List: An authorized software list (ASL; sub-control 2.1) and information on the current authorized version.
-
Authoritative Source of Information: Access to an authoritative source of information indicating version details by product.
-
List of Approved Exceptions: A list of approved exceptions that notes any reasons that an authorized software package does not match the latest version.
Operations
-
For each software in I1, list the software products that do not match the latest version as described by I2.
-
For each endpoint, obtain the current software load (the list of installed software). This information can be retrieved from sub-control 2.1.
-
For each endpoint, list the installed software that does not match the current authorized version from I1.
-
For each software product listed in Operation 3, list any that exist in the approved exceptions list (I3).
Measures
| Measure | Definition |
|---|---|
| M1 = List of authorized software products at wrong version |
A list of authorized software products installed on the endpoint that are not at the latest version. |
| M2 = Count of items in M1 | A count of the total number of items in M1. |
|
M3 = List of all authorized software products |
A list of all authorized software products installed on the endpoint. |
| M4 = Count of items in M3 |
A count of the total number of items in M3. |
| M5 = List of authorized software with exceptions | A list of authorized software products installed on the endpoint that are not at the latest version, but have approved exceptions. |
| M6 = Count of items in M5 | A count of the total number of items in M5. |
Metrics
Update Effectiveness (Per Endpoint)
| Metric | Calculation |
|---|---|
| For a given endpoint, the ratio of installed software updates compared to the total number of required software updates. | If M2 == 0, this indicates the endpoint requires no software updates. If (M2 - M5) == 0, this indicates the endpoint requires software updates, but the out-of-date software has an approved exception. Otherwise, this metric is calculated as (M2 - M5) / M4 |
Update Effectiveness (Organizational)
The organizational metric is calculated by averaging the results of the Per Endpoint metric above.