Abstract
Patch management is a risk management tool for enterprises and a key element of IT security programs. Improper patch management may lead to downtime and interruption, data leakage, penalties and fines for noncompliance with regulations, lost revenue, damaged reputation, litigation fees, etc. It is imperative for enterprises to develop, implement and monitor a well-structured patch management program. Monitoring of program implementation includes its audits. In this paper, an audit program and plan for patch management of enterprise applications is developed. Program includes common elements recommended by information security frameworks and the research community. The audit plan includes audit areas, accompanying audit objectives and tests. Finally, the audit areas, audit objectives and audit tests is mapped to applicable sections of the NIST cybersecurity framework.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Serova, E.: Enterprise information system of new generation. Electron. J. Inf. Syst. Eval. 15(1), 116–126 (2012)
MacLeod, K.J.: Patch Management and the Need for Metrics, SANS Institute Reading Room (2004)
Hall, J.: Information Technology Auditing and Assurance. South - Western Cengage Learning, Ohio (2011)
Souppaya, M., Scarfone, K.: Guide to Enterprise Patch Management Technologies. NIST, Virginia (2013)
Joint Universities Computing Centre: Network Computing, Information Security Newsletter, p. 1, 23 December 2013
Hoehl, M.: Framework for Building a Comprehensive Enterprise Security Patch Management Program, SANS Institute Reading Room (2013)
Tom, S., Christiansen, D., Berrett, D.: Recommended Practice of Patch Management of Control Systems. Idaho National Library, Idaho (2008)
Mell, P., Tracy, M.C.: Procedures for Handling Security Patches. National Institute of Standards and Technology, Washington DC (2002)
Blank, R.M., Gallagher, P.D.: Security and Privacy Controls for Federal Information Systems and Organizations, National Institute of Standards and Technology (2013)
Mell, P., Bergeron, T., Henning, D.: Creating a Patch and Vulnerability Management Program, National Institute of Standards and Technology (2005)
Medzich, M.: Deploying a Process for Patch Management in relation to Risk Management, SANS Institute (2004)
Ruppert, B.: Patch Management, SANS Institute Reading Room (2007)
Liu, S., Kuhn, R., Hart, R.: Surviving Insecure IT: Effective Patch Management. IT Prof. 11(2), 49–51 (2009)
National Institute of Standards and Technology: Framework for Improving Critical Infrastructure Cybersecurity, NIST (2014)
Council on Cybersecurity: The Critical Security Controls for Effective Cyber Defense, SANS Institute
National Institute of Standards and Technology: Assessing Security and Privacy Controls in Federal Information Systems and Organizations, NIST (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Odilinye, L., Butakov, S., Aghili, S. (2018). Audit Plan for Patch Management of Enterprise Applications. In: Kim, K., Kim, H., Baek, N. (eds) IT Convergence and Security 2017. Lecture Notes in Electrical Engineering, vol 450. Springer, Singapore. https://doi.org/10.1007/978-981-10-6454-8_22
Download citation
DOI: https://doi.org/10.1007/978-981-10-6454-8_22
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-6453-1
Online ISBN: 978-981-10-6454-8
eBook Packages: EngineeringEngineering (R0)