GTAG6: Managing and Auditing IT Vulnerabilities - The Institute of Internal Auditors

Guide 6: Managing and Auditing IT Vulnerabilities
This concise, 24-page guide was developed to help chief audit executives (CAEs) and internal auditors ask the right questions of IT security staff when assessing the effectiveness of their vulnerability management processes. The guide recommends specific management practices to help an organization achieve and sustain higher levels of effectiveness and efficiency and illustrates the differences between high- and low-performing vulnerability management efforts. After reading this guide, you will:

Have a working knowledge of vulnerability management processes.
Have the ability to differentiate between high- and low-performing vulnerability management organizations.
Be familiar with the typical progression of capability - from a technology-based approach to a risk-based approach to an IT process-based approach.
Provide useful guidance to IT management on best practices for vulnerability management.
Be able to sell your recommendations more effectively to your chief information officer, chief information security officer, chief executive officer, and chief financial officer.

Authors
Sasha Romanosky, Heinz School of Public Policy and Management, Carnegie Mellon University
Gene Kim, Tripwire Inc. and IT Process Institute
Bridget Kravchenko, General Motors Corp.

Download this guide (PDF, 574KB).
Purchase the printed version.
Download GTAG 6 PowerPoint slides (PPT, 627 KB).
Download form for permission to translate to another language (PDF, 20 KB).

Training in relation to this GTAG
The IIA also offers training either on site at your location or as part of our seminars program. To find out more, go to Internet Security for IT Auditors (IIA/Deloitte)

Quick Search Advanced Search Site Map IIA Popular Pages About the Profession New Fraud Guidance Virtual Seminars CIA Preparation GTAG Series		Home / Professional Guidance / Information Technology / GTAG / GTAG6 Guide 6: Managing and Auditing IT Vulnerabilities This concise, 24-page guide was developed to help chief audit executives (CAEs) and internal auditors ask the right questions of IT security staff when assessing the effectiveness of their vulnerability management processes. The guide recommends specific management practices to help an organization achieve and sustain higher levels of effectiveness and efficiency and illustrates the differences between high- and low-performing vulnerability management efforts. After reading this guide, you will: Have a working knowledge of vulnerability management processes. Have the ability to differentiate between high- and low-performing vulnerability management organizations. Be familiar with the typical progression of capability - from a technology-based approach to a risk-based approach to an IT process-based approach. Provide useful guidance to IT management on best practices for vulnerability management. Be able to sell your recommendations more effectively to your chief information officer, chief information security officer, chief executive officer, and chief financial officer. Authors Sasha Romanosky, Heinz School of Public Policy and Management, Carnegie Mellon University Gene Kim, Tripwire Inc. and IT Process Institute Bridget Kravchenko, General Motors Corp. Download this guide (PDF, 574KB). Purchase the printed version. Download GTAG 6 PowerPoint slides (PPT, 627 KB). Download form for permission to translate to another language (PDF, 20 KB). Training in relation to this GTAG The IIA also offers training either on site at your location or as part of our seminars program. To find out more, go to Internet Security for IT Auditors (IIA/Deloitte)		Global Technology Audit Guides (GTAG^®) Guide 1 Guide 2 Guide 3 Guide 4 Guide 5 Guide 6 Guide 7 Guide 8 Guide 9 Guide 10 Guide 11 IT Resources Review some of the latest IT Resources available for IT auditing. GAIT Project Learn more about the ongoing IT auditing guidance project known as the Guide to the Assessment of ITGeneral Controls Scope Based on Risk (GAIT). Information Technology