CISSP · Question #1438
Which of the following is the BEST way to determine the success of a patch management process?
The correct answer is B. Auditing and assessment. Determining the success of a patch management process requires auditing and assessment to verify that patches were applied correctly, completely, and within compliance requirements.
Question
Which of the following is the BEST way to determine the success of a patch management process?
Options
- AAnalysis and impact assessment
- BAuditing and assessment
- CConfiguration management (CM)
- DChange management
How the community answered
(26 responses)- A8% (2)
- B77% (20)
- C12% (3)
- D4% (1)
Why each option
Determining the success of a patch management process requires auditing and assessment to verify that patches were applied correctly, completely, and within compliance requirements.
Analysis and impact assessment is a pre-patch activity used to evaluate the potential effects of applying a patch before deployment, not a post-process measurement of success.
Auditing and assessment directly measure the effectiveness of a patch management process by verifying patch compliance rates, confirming that patches were successfully deployed across all systems, and identifying any gaps or failures in the patching cycle. This provides quantifiable metrics and evidence that the process is working as intended, making it the best method for evaluating success.
Configuration management tracks and controls the state of IT assets and their configurations but does not specifically measure whether the patch management process achieved its goals.
Change management is the process used to control and approve changes (including patches) before they are made, but it does not evaluate the outcome or success of the patching process after the fact.
Concept tested: Evaluating patch management process effectiveness through auditing
Source: https://www.nist.gov/publications/guide-enterprise-patch-management-planning-preventive-maintenance-technology
Topics
Community Discussion
No community discussion yet for this question.