The Inner Circle

NCCoE seeking Comment on a New Draft Practice Guide: Improving Enterprise Patching for General IT Systems

  • 1.  NCCoE seeking Comment on a New Draft Practice Guide: Improving Enterprise Patching for General IT Systems

    Posted 11 days ago
      |   view attached
    Hi All,

    Preview and Comment on a New Draft Practice Guide: Improving Enterprise Patching for General IT Systems 

    The National Cybersecurity Center of Excellence is following an experimental agile process to provide each volume of preliminary draft practice guide, Improving Enterprise Patching for General IT Systems, for public comment as work continues on the implementation of the demonstration and development of other sections of the publication. This guide can benefit anyone who has a stake in protecting his or her organization's data, privacy, and overall operational security.

    Addressing Patching Challenges  

    The NCCoE is writing this guide in collaboration with cybersecurity technology providers to identify actionable approaches that can help organizations improve enterprise patching practices for general information technology (IT) systems. Cybersecurity attacks bring home the dangers of operating computers with unpatched software. We know the risks, however, keeping software up-to-date with patches is an ongoing challenge for many organizations for a host of reasons including timing and balancing security with mission impact and business objectives.

    Future volumes of this guide will include both process and tool usage improvements. Once available, the full practice guide can help your organization improve its security and reduce the likelihood of privacy breaches with sensitive personal information by:

    • overcoming common obstacles involving enterprise patching for general IT systems
    • achieving a comprehensive security hygiene program based on existing standards, guidance, and recommended practices

    We Value Your Insights

    We are seeking your feedback on the proposed approach and example solution outlined in Volume A, which discusses how existing tools can be used to implement:

    • the patching and inventory capabilities organizations need to handle both routine and emergency patching situations
    • workarounds, isolation methods, or other alternatives to patching

    The solution will also demonstrate recommended security practices for patch management systems themselves.

    The comment period is open through October 9, 2020. Submit your comments online or send an email to cyberhygiene@nist.gov.



    ------------------------------
    Michael Roza CPA, CISA, CIA
    ------------------------------