I personally would recommend on focusing on the outcomes needed rather than the severity of the issues which are being addressed. I have worked with a lot of organisations over the years, which have had very different ways of looking at the security risk associated with security patching. Although they may have had a risk-based approach, the desired outcome has always been the same - patch as quickly as possible without interrupting the business.
I have always found, keeping it simple gets the best results. You could look at different severity levels, different time to deploy measurements for different environments but you are likely to find you spend more time on prioritisation / discussing prioritisation than is necessary. Over time, you will see trends for the different infra types, for example user access devices will always be a high priority than servers as they are more on the network edge.
When I defined our policy, I decided on the approach of –
User Access Devices (Laptops / Desktops) – Non-Critical – 31 days
Servers / Network Devices - Non-Critical - 70 days
We then have a process which controls what we see as critical too us supported by Security Intelligence and Industry security intelligence sharing etc. For truly critical issues we would address them on the user access devices within 5 days and 10 days in our server / networking environments (using an outside in prioritisation model).
I did it this way, as we on an ops level aim to patch everything every month, so our ops teams will always meet their KPI for non-complex issues, for complex they have a little longer to do the work needed. By treating Critical issues as truly critical issues, I can go to our Ops Leadership team as for resourcing to address something when needed rather than every week when a vendor says something is critical.
By removing the discussions on prioritisation, it enabled us to focus more on delivery and more importantly on delivery issues.
We use our scan data is a confirmational exercise and to report on KPI’s which demonstrate the age of findings within our insightvm instances.