The first is what I’ve referred to in the past as “the model,” which is the culmination of the first phase of Project Quant. The second is our summary and analysis of the patch management survey results, which I discuss in this other post.
Below is an excerpt from the model report executive summary and you can download the full report at http://securosis.com/research/publication/project-quant-metrics-model-report/.
Developing an Open Patch Management Metrics Model
This report includes the findings of the Project Quant patch management research project. Project Quant is dedicated to the development of a refined, unbiased patch management metrics model. The goal is to provide organizations with a tool to better understand their patching costs, and to guide improvements through an operational efficiency model capable of capturing accurate and precise performance metrics. It was developed through independent research, community involvement, and an open industry survey.
• There is no public platform-independent, industry-standard patch management process framework. As a result, Project Quant developed a superset framework to encompass most patching activities within any organization, regardless of technology asset under review. It includes ten phases with forty steps.
• Based on survey responses, organizations are generally mature in managing desktop operating system and server operating system patches, but process maturity quickly falls off for other technologies and platforms.
• Staff time dedicated to patch management activities represents the majority of patch management costs, and thus the model was designed to focus heavily on granular patching activities.
• Patching across multiple platforms and business activities is a very complex process, and although the Project Quant model is extremely detailed, most organizations should focus on the key metrics identified through the model.
Summary and Next Steps
• This release includes a detailed patch management process framework and metrics model to enable organizations to quantify and optimize their patch management processes.
• This is Version 1.0 of the model; future work will continue refinement, generate sample use cases, and assess it’s functionality in various user environments.
• The next step is to engage end-user organizations in focused interviews to determine how their processes and maturity align with the model and survey results.
• The model can then be adapted for use in industry benchmarking.