Update of 040 - Remediation & Mitigation #57
Conversation
getting a fresh copy of the repository
doc/version_1/040_treesForVulMgmt.md
Outdated
|
|
||
| <!--**Talk about applying other mitigations here** TODO | ||
| --> | ||
| To further clairify terms, "Remediaton occurs when the vulnerability is eliminated or removed. Mitigation occurs when the impact of the vulnerability is decreased without reducing or eliminating the vulnerability." (DoD Instruction 8531.01, section 3.5) Examples of remediation includes, applying patches, fixes and upgrades; or removing the vulnerabil software or system from operation. Mitigating acions may include, software configuration changes, adding firewall ACLs or otherwise limiting the system's exposure to reduce the risk of the impact of the vulnerability; or accepting the risk. |
There was a problem hiding this comment.
Please see https://github.com/CERTCC/SSVC/blob/main/doc/reference-how-to for how to add references.
| | Scheduled | Act during regularly scheduled maintenance time. | | ||
| | Out-of-cycle | Act more quickly than usual to apply the fix out-of-cycle, during the next available opportunity, working overtime if necessary. | | ||
| | Immediate | Act immediately; focus all resources on applying the fix as quickly as possible, including, if necessary, pausing regular organization operations. | | ||
|
|
||
| ### Coordinating Patches | ||
| ### Scheduling Patches |
There was a problem hiding this comment.
What's the intent here?
We are working on the coordinator's decision tree (#11 ). So this section will be re-written as a result of that issue.
I don't think this term change supports that issue, does it?
"Patches" here probably needs to be changed to "mitigation" based on #46? Unless it specifically just means a fix, but I think "patch" here is an error in v1 and we want to say "coordinating mitigations" as what a Coordinator stakeholder does, so we are general enough. Is that right?
There was a problem hiding this comment.
The title is "coordinating patches" The first 2 paragraphs speak to problems CVD and CVSS. The third talks about how to schedule your patch action when you have multiple patches with varying priorities.
Maybe the "Scheduling Patches" title should be above the last paragraph.
laurie-tyz
changed the title
There should be a footnote/endnote for the DoD I 8531.01
Changed the title Coordinating Patches to Scheduling Patches.
consider the first 2 paragraphs under Scheduling Patches. Should they be moved to an earlier part of the paper or removed?
Open to suggestions and discussions.
Laurie