GTAG6: Managing and Auditing IT Vulnerabilities - The Institute of Internal Auditors

Guide 6: Managing and Auditing IT Vulnerabilities
Chief audit executives (CAEs) and internal auditors who want to learn more about managing and auditing IT vulnerabilities are in luck. The IIA has just released its sixth guide in its Global Technology Audit Guide (GTAG^®) series, Managing and Auditing IT Vulnerabilities. The 24-page guide was developed to help CAEs and internal auditors ask the right questions of IT security staff when assessing the effectiveness of their vulnerability management processes. The guide recommends specific management practices to help an organization achieve and sustain higher levels of effectiveness and efficiency and illustrates the differences between high- and low-performing vulnerability management efforts. After reading this guide, you will:

Have a working knowledge of vulnerability management processes.
Have the ability to differentiate between high- and low-performing vulnerability management organizations.
Be familiar with the typical progression of capability - from a technology-based approach to a risk-based approach to an IT process-based approach.
Provide useful guidance to IT management on best practices for vulnerability management.
Be able to sell your recommendations more effectively to your chief information officer, chief information security officer, chief executive officer, and chief financial officer.

According to chief technology officer and founder of Tripwire Inc. Gene Kim, who is one of the authors of the guide, CAEs are in the perfect position to help maximize how the organization audits IT vulnerabilities. "Often, too much is spent analyzing the nature of technology vulnerabilities and too little time is spent looking at the process of how the IT organization analyzes, organizes, approves, and then implements the needed IT changes," he explains. "Because of this, auditors focus on the wrong risks. CAEs are uniquely suited at spotting these organizational and process issues and can help organizations become more effective, efficient, and secure."

Throughout the vulnerability management process, the role of internal auditors is to assess the effectiveness of preventive, detective, and mitigation measures against past and future attacks. In addition, auditors need to inform the board of directors of the threats, vulnerabilities, and corrective measures taken to fix problem areas. In particular, auditors identify where IT security can implement more effective vulnerability management processes and better validate existing vulnerability remediation efforts.

"Vulnerability management is not just an IT issue. Vulnerabilities translate into real business risks if the right management approach is not taken," says co-author Bridget Kravchenko, IT audit manager for General Motors Corp. "If an organization doesn't have a good IT asset management process, identifying vulnerabilities before they hit will be difficult. This GTAG will help auditors define what a vulnerability management scope should be and how to measure its effectiveness."

The guide also provides example metrics to use when measuring vulnerability management practices, such as identifying the number of unique vulnerabilities, the percent of total systems that are subject to a configuration management process, and the mean time to remediate a problem. Finally, the guide lists the top 10 questions CAEs and internal auditors should ask about vulnerability management and illustrates answers indicative of low- and high-performing organizations.

"IT vulnerabilities can lead to a loss of revenue and productivity," adds co-author Sasha Romanosky, co-developer of the Common Vulnerability Scoring System and co-author of various books on security topics. "Auditors will appreciate the difficulties of identifying, tracking, and fixing vulnerabilities, and we hope this guide will provide them with a realistic approach to mitigating the probability and degree of loss caused by IT vulnerabilities."

Authors: Sasha Romanosky, Heinz School of Public Policy and Management, Carnegie Mellon University; Gene Kim, Tripwire Inc. and IT Process Institute; and Bridget Kravchenko, General Motors Corp.

DownloadManaging and Auditing IT Vulnerabilities (PDF, 574KB)
Purchase the printed version.

Download GTAG 6 PowerPoint slides (PPT, 627 KB)

Download form for permission to translate to another language (PDF, 20 KB)

Training in relation to this GTAG
The IIA also offers training either on site at your location or as part of our seminars program. To find out more, go to Internet Security for IT Auditors (IIA/Deloitte)

Quick Search Advanced Search Site Map IIA Popular Pages CIA Exam Content CFSA Individual Memberships Code of Ethics Information Technology		Home / Professional Guidance / Information Technology / GTAG / GTAG6 Guide 6: Managing and Auditing IT Vulnerabilities Chief audit executives (CAEs) and internal auditors who want to learn more about managing and auditing IT vulnerabilities are in luck. The IIA has just released its sixth guide in its Global Technology Audit Guide (GTAG^®) series, Managing and Auditing IT Vulnerabilities. The 24-page guide was developed to help CAEs and internal auditors ask the right questions of IT security staff when assessing the effectiveness of their vulnerability management processes. The guide recommends specific management practices to help an organization achieve and sustain higher levels of effectiveness and efficiency and illustrates the differences between high- and low-performing vulnerability management efforts. After reading this guide, you will: Have a working knowledge of vulnerability management processes. Have the ability to differentiate between high- and low-performing vulnerability management organizations. Be familiar with the typical progression of capability - from a technology-based approach to a risk-based approach to an IT process-based approach. Provide useful guidance to IT management on best practices for vulnerability management. Be able to sell your recommendations more effectively to your chief information officer, chief information security officer, chief executive officer, and chief financial officer. According to chief technology officer and founder of Tripwire Inc. Gene Kim, who is one of the authors of the guide, CAEs are in the perfect position to help maximize how the organization audits IT vulnerabilities. "Often, too much is spent analyzing the nature of technology vulnerabilities and too little time is spent looking at the process of how the IT organization analyzes, organizes, approves, and then implements the needed IT changes," he explains. "Because of this, auditors focus on the wrong risks. CAEs are uniquely suited at spotting these organizational and process issues and can help organizations become more effective, efficient, and secure." Throughout the vulnerability management process, the role of internal auditors is to assess the effectiveness of preventive, detective, and mitigation measures against past and future attacks. In addition, auditors need to inform the board of directors of the threats, vulnerabilities, and corrective measures taken to fix problem areas. In particular, auditors identify where IT security can implement more effective vulnerability management processes and better validate existing vulnerability remediation efforts. "Vulnerability management is not just an IT issue. Vulnerabilities translate into real business risks if the right management approach is not taken," says co-author Bridget Kravchenko, IT audit manager for General Motors Corp. "If an organization doesn't have a good IT asset management process, identifying vulnerabilities before they hit will be difficult. This GTAG will help auditors define what a vulnerability management scope should be and how to measure its effectiveness." The guide also provides example metrics to use when measuring vulnerability management practices, such as identifying the number of unique vulnerabilities, the percent of total systems that are subject to a configuration management process, and the mean time to remediate a problem. Finally, the guide lists the top 10 questions CAEs and internal auditors should ask about vulnerability management and illustrates answers indicative of low- and high-performing organizations. "IT vulnerabilities can lead to a loss of revenue and productivity," adds co-author Sasha Romanosky, co-developer of the Common Vulnerability Scoring System and co-author of various books on security topics. "Auditors will appreciate the difficulties of identifying, tracking, and fixing vulnerabilities, and we hope this guide will provide them with a realistic approach to mitigating the probability and degree of loss caused by IT vulnerabilities." Authors: Sasha Romanosky, Heinz School of Public Policy and Management, Carnegie Mellon University; Gene Kim, Tripwire Inc. and IT Process Institute; and Bridget Kravchenko, General Motors Corp. DownloadManaging and Auditing IT Vulnerabilities (PDF, 574KB) Purchase the printed version. Download GTAG 6 PowerPoint slides (PPT, 627 KB) Download form for permission to translate to another language (PDF, 20 KB) Training in relation to this GTAG The IIA also offers training either on site at your location or as part of our seminars program. To find out more, go to Internet Security for IT Auditors (IIA/Deloitte)		Global Technology Audit Guides (GTAG^®) Guide 1 Guide 2 Guide 3 Guide 4 Guide 5 Guide 6 Guide 7 Guide 8 Guide 9 IT Resources Review some of the latest IT Resources available for IT auditing. GAIT Project Learn more about the ongoing IT auditing guidance project known as the Guide to the Assessment of ITGeneral Controls Scope Based on Risk (GAIT). Information Technology