Risikomanagement
Calculated Risk
Step 2: Do The Legwork
Here's just a portion of the effort Nigriny put into his patchmanagement ROSI: "I am throwing into it how many patches per year Iapply, based on three years of data. I sit down with the network teamand talk about the types of patches, their criticality level. I lookat how long it takes to vet the patch. How many rollouts result in arollback because of problems with the patch. Then I look at how manypatches I should have installed, based on all the patches on all themailing lists I subscribe to. I dedicate a day to that, but I couldtake weeks. Eventually, I come up with total time I was atX-percentage risk level before the patches were installed. Here's theaverage cost of an incident to us; that's my baseline number. Youabsolutely have to have that. There are industry baselines for thisyou can find. You can talk to peers at other companies about theirbaselines and massage them for your situation."
You get the idea. ROSI is labor-intensive. In his partial history ofthe patch management ROSI above, though, Nigriny demonstrates much ofwhat you need to do to prepare to use ROSI. Here it is: