Vulnerability management is a set of processes and technologies that an organization employs to identify, assess, and mitigate business risks arising from the deployment and use of IT assets and processes. But it is not just an IT issue. Vulnerabilities translate into real business risks if the right management approach is not taken.
Throughout the vulnerability management process, the role of internal auditors is to assess the effectiveness of preventive, detective, and mitigation measures against past and future attacks. In addition, auditors need to inform the board of directors of the threats, vulnerabilities, and corrective measures taken to fix problem areas. In particular, auditors identify where IT security can implement more effective vulnerability management processes and better validate existing vulnerability remediation efforts.
This 24-page guide was developed to help CAEs and internal auditors ask the right questions of IT security staff when assessing the effectiveness of their vulnerability management processes. The guide recommends specific management practices to help an organization achieve and sustain higher levels of effectiveness and efficiency and illustrates the differences between high- and low-performing vulnerability management efforts. After reading this guide, you will:
- Have a working knowledge of vulnerability management processes.
- Have the ability to differentiate between high- and low-performing vulnerability management organizations.
- Be familiar with the typical progression of capability — from a technology-based approach to a risk-based approach to an IT process-based approach.
- Provide useful guidance to IT management on best practices for vulnerability management.
- Be able to sell your recommendations more effectively to your chief information officer, chief information security officer, chief executive officer, and chief financial officer.
The guide also provides example metrics to use when measuring vulnerability management practices, such as identifying the number of unique vulnerabilities, the percent of total systems that are subject to a configuration management process, and the mean time to remediate a problem. Finally, the guide lists the top 10 questions CAEs and internal auditors should ask about vulnerability management and illustrates answers indicative of low- and high-performing organizations.
This document is also available in PDF
Prepared by The Institute of Internal Auditors (The IIA), each Global Technology Audit Guide (GTAG) is written in straightforward business language to address a timely issue related to information technology (IT) management, control, and security. The GTAG series serves as a ready resource for chief audit executives on different technology-associated risks and recommended practices.