none
Industry standard/best practices for defining SLAs for emergency and non-emergency patches RRS feed

  • Question

  • Hi, Guys.

    Do you know where I can refer to industry standard/best practices for defining SLAs for emergency and non-emergency patches?

    Do you have any idea regarding end-to-end process for deploying emergency patches?

    Thank you.

    Tuesday, December 18, 2018 5:59 PM

All replies

  • You're not going to find anything like this out there. All decisions are dependent on how your employer wants to classify the importance of software updates. Typically this is a discussion between Infosec and IT management. As a general rule IMO, you would have 0day (patch now, no testing), 7 day (expedited testing and deployment) and standard deployment 30 days (regular testing and deployment). How you would accomplish this is pretty much upto you and your management.
    Saturday, December 22, 2018 5:18 AM
  • What about the factors that define SLA thresholds for both emergency and non-emergency patches? Do we have any industry standard where we can refer on regarding this?

    For example, Emergency Updates: 96% in 48 hours, Non-Emergency Updates: Minimum 87% and Maximum 96% Monthly

    Sunday, December 23, 2018 7:36 AM
  • No its all subjective to what you and your management/InfoSec determine.   There is a writeup(pdf) by Homeland Security (cyber security center) that gives more explanation into what the dynamics are. the article is old but the variables of who/what/why of patching are all still relevant.   if I had to give my opinion,  everything is 30 day SLA, any out of band releases from the normal release schedule by the vendor would be 7 day SLA.  Anything that is known to be affecting machines in the wild qualifies as 0 day patching.



    Sunday, December 30, 2018 7:22 AM
  • What about the factors that define SLA thresholds for both emergency and non-emergency patches? Do we have any industry standard where we can refer on regarding this?

    For example, Emergency Updates: 96% in 48 hours, Non-Emergency Updates: Minimum 87% and Maximum 96% Monthly

    @Mr_Wayne - did you ever get an answer to your question or any better data?  I have been posed a similar question to set targets for a patch management model.  Thanks.
    Tuesday, October 1, 2019 10:47 AM