Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Global Technology Audit Guide - Managing and Auditing IT Vulnerabilities

Gtag6 I'd like to point all Nessus users and Tenable customers towards a new guide from The Institute of Internal Auditors. The guide helps internal auditors ask the right questions of the IT security staff. It also helps an auditor recognize when an organization is using best practices when managing vulnerabilities and when they are not. If you are not involved in performing audits, but are the one being audited, this guide can help you prepare for the tough (or easy) questions which may be asked of you. 

The IIA has published many guides for auditing internal controls, mitigating risk and auditing technology. The technology audit guides are called "GTAGs" which stands for Global Technology Audit Guides. This latest is the sixth in a series. Previous GTAGs covered topics such as patch management, auditing IT controls,  and managing privacy risk. The IIA has created a reference powerpoint presentation here which summarizes all GTAGs.

Readers of this new guide on auditing IT vulnerabilities should expect to understand:

  • how to differentiate between high and low performing vulnerability management organizations
  • how organizations progress their vulnerability management techniques from a technology based approached, to a risk-based approach and ultimately to a process based approach
  • how to articulate recommendations for vulnerability management to chief executives

Regardless of your technical prowess or your political position in your organization, there should be something in this for anyone involved with IT security audits. My personal favorite is the section on the "Top 10 Questions" you should ask about vulnerability management. The questions are:

  1. What percent of total systems are monitored or scanned?
  2. How many unique vulnerabilities exist in your enterprise?
  3. What percentage of systems are managed?
  4. What percent of vulnerabilities have you validated?
  5. What is the mean time to remediate a vulnerability?
  6. What percentage of actionable vulnerabilities was remediated in the past quarter?
  7. What percent of your operation level agreements are met?
  8. What percent of IT Security work is unplanned?
  9. How many security incidents have you experienced during the past quarter?
  10. What was the average cost of your last five security incidents?

The reason I like this section is that for each of these questions, the guide provides you example answers from a "low performer", "high performer" and a "manager in denial". Sharp auditors who follow the GTAG will be looking for responses along these lines, so I highly recommend folks be familiar with these sections and have their answers with data to back them up ready.

I also like these questions because I know that organizations who use Nessus, the Security Center and the Passive Vulnerability Scanner have an easier time answering these questions. I regularly speak with customer who "confirm" network based vulnerabilities discovered with Nessus or the PVS with an agent-less patch audit also performed by Nessus. I also know that many of the reporting features we've put into the Security Center came as requests directly from customers who had to produce reports and data similar to what the GTAG is asking.

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.