# Standards and References - Patch Tuesday Response Process

## Microsoft Resources
- MSRC Security Update Guide: https://msrc.microsoft.com/update-guide
- Microsoft Security Blog: https://www.microsoft.com/en-us/security/blog/
- Windows Update for Business: https://learn.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb
- SCCM/MECM Patch Management: https://learn.microsoft.com/en-us/mem/configmgr/sum/

## Industry Standards
- **NIST SP 800-40 Rev 4**: Guide to Enterprise Patch Management Planning
- **CIS Controls v8.1 Control 7.4**: Perform Automated Patch Management
- **PCI DSS v4.0 Req 6.3.3**: Install security patches within one month of release
- **ISO 27001:2022 A.8.8**: Management of technical vulnerabilities

## Patch Tuesday Statistics (2025)
| Metric | Value |
|--------|-------|
| Total CVEs patched in 2025 | 1,129 |
| Year-over-year increase | 11.9% |
| Average CVEs per month | ~94 |
| Top category: Elevation of Privilege | ~49% |
| Top category: Remote Code Execution | ~34% |
| Zero-days patched in 2025 | Multiple per quarter |

## Vendor Analysis Resources
- Qualys Patch Tuesday Blog: https://blog.qualys.com/tag/patch-tuesday
- Tenable Patch Tuesday Analysis: https://www.tenable.com/blog/tag/patch-tuesday
- CrowdStrike Patch Tuesday: https://www.crowdstrike.com/blog/tag/patch-tuesday
- SANS ISC Patch Tuesday Dashboard: https://isc.sans.edu/patchtuesday/