Preface on Sub-Controls 3.4 and 3.5

Sub-Controls 3.4 and 3.5 provide advice and guidance to organizations on deploying operating systems and application/software patch management tools. Sub-Controls 3.4 and 3.5 have inputs and processes that dive deep into calculating a score around patching by combining the number of patches that have been installed to the number of patches not installed per endpoint. This helps to manually score each endpoint while considering the fact that counting of every single previously applied patch to the number of missing patches is a time consuming endeavor for any organization.

The ultimate goal of these sub-controls is to have a score (or ratio) of zero (The number of patches applied to each end point is the same as the number of patches that are available from the vendor for the OS or Software, i.e., there are no missing patches). Automated patch management tools can help organizations ensure that critical security concerns are patched as soon as a fix is available. However, there will always be patches that require manual updates. Completely relying on automated patch management as the only option results in poor patch management practice. This leads us to question: how do we make it better?

Tenable products are able to query a variety of patch management solutions and verify whether or not patches are installed on managed systems. Additionally, Nessus can also report on unmanaged hosts, hosts that have fallen out of management, or hosts that aren’t functioning properly. Implementing a comprehensive patch management policy can provide organizations with a consistent, repeatable process that can keep systems up to date. If all systems are up to date, there is little to no “manual” scoring requirements as all ratios would be zero. Any systems out of patching compliance would be easily identified. The effort to capture and calculate the Inputs, Operations, and Measurements of the following sub-controls would greatly be reduced.

At the same time, we must also consider that if an organization has specific separate devices, such as database servers, web servers, mail servers, etc., each server type may have a different subset of applications installed. Or, in some cases, those applications may be combined onto a single server. Organizations must also be able to identify what software is appropriate for each endpoint device, removing inappropriate software in addition to patching.