NIST is inviting public comments on a new draft Special Publication SP800-40 on Creating a patch and vulnerability management system (1Mb PDF file). Comments are especially welcome in three areas: (1) patching metrics, (2) required duties of the patch and vulnerability management group and (3) the overall patch and vulnerability management process. The summary earns a big thumbs-up from us with the sentence: “Not all vulnerabilities have related patches; thus, system administrators must not only be aware of applicable and available vulnerabilities and patches, but also other methods of remediation (e.g., device or network configuration changes, employee training) that limit the exposure of systems to vulnerabilities.” Other NIST drafts are also open to comment.
More change management resources
No comments:
Post a Comment