GTAG-6 presentation (PPT, 630 KB).
Global Technology Audit Guide (GTAG) series
Guide to the Assessment of IT Risk (GAIT) series
IT Audit Guidance main page
Guide 6: Managing and Auditing IT Vulnerabilities
Download (members only): English (PDF, 570KB); Spanish (520KB); French (360KB)
Purchase from The IIA Research Foundation Bookstore
Rate this guide
This concise, 24-page guide was developed to help chief audit executives (CAEs) and internal auditors ask the right questions of IT security staff when assessing the effectiveness of their vulnerability management processes. The guide recommends specific management practices to help an organization achieve and sustain higher levels of effectiveness and efficiency and illustrates the differences between high- and low-performing vulnerability management efforts. After reading this guide, you will:
- Have a working knowledge of vulnerability management processes.
- Have the ability to differentiate between high- and low-performing vulnerability management organizations.
- Be familiar with the typical progression of capability - from a technology-based approach to a risk-based approach to an IT process-based approach.
- Provide useful guidance to IT management on best practices for vulnerability management.
- Be able to sell your recommendations more effectively to your chief information officer, chief information security officer, chief executive officer, and chief financial officer.
TABLE OF CONTENTS
1. Executive Summary
2 Introduction
2.1 Identifying Poor Vulnerability Management
2.2 Improving Vulnerability Management
2.3 The Internal Auditor's Role
2.4 How Vulnerability Management Drives Changes to the IT Infrastructure
3 Vulnerability Management Lifecycle
3.1 Identification and Validation
Scoping Systems
Detecting Vulnerabilities
Validating Findings
3.2 Risk Assessment and Prioritization
Assessing Risks
Prioritizing Vulnerabilities
3.3 Remediation
Mitigating Critical Vulnerabilities
Creating a Vulnerability Mitigation Process
3.4 Continually Improve
Stopping the Spread
Setting Expectations With OLAs
Achieving Efficiency Through Automation
Using Past Experience to Guide Future Actions
4 Organization Maturity
4.1 Low Performers
4.2 High Performers
5 Appendix
5.1 Metrics
5.2 Top 10 Questions CAEs Should Ask About Vulnerability Management
5.3 A Word on Vulnerability and Risk Management
5.4 Vulnerability Resources for the Internal Auditor
5.5 Glossary
6 References
7 About the Authors
Authors
Sasha Romanosky, Heinz School of Public Policy and Management, Carnegie Mellon University
Gene Kim, Tripwire Inc. and IT Process Institute : : Bridget Kravchenko, General Motors Corp.
Questions for the authors about this guide? E-mail guidance@theiia.org.
Training in relation to this GTAG
The IIA also offers training either on site at your location or as part of our seminars program. To find out more, go to Internet Security for IT Auditors (IIA/Deloitte)