Details: Monitor for Advisories

Project Quant post here...

Below is my first pass (based on the work in the forums by Daniel) on the detailed process for the first phase in the Patch Management Cycle.

Daniel included variables, but I decided to stick to the process level, and we can roll out the detailed variables once we get some consensus.

Here's my thinking:

1. This phase should only cover the resources required to monitor for releases. Once that happens, we move on to the evaluation phase.
2. It needs to reflect initial and ongoing costs to maintain asset type lists, as well as advisory source lists.
3. I've tried my best to define the variables, which I know we will need to detail more once we start moving this into spreadsheet format.
4. This is the "uber-model" and should include everything you could possibly do... clearly not all organizations will follow all steps for all assets.

This is merely a first pass, so let me know what you think.

One thing I'm realizing is that since this is a cost model, it would be easy to misinterpret it to say "doing nothing is really cheap". I think it's important to remember that as an operational efficiency model, measurements of the security impact of doing nothing are out of scope. I'm getting some ideas on how to bring that into scope a little more, but I think we need to stay away from getting dragged into all the risk threat / stuff.

As with all the Project Quant posts, you can comment here or in the forums...

—Rich