Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Global Technology Audit Guide - Managing and Auditing IT Vulnerabilities

Gtag6 I'd like to point all Nessus users and Tenable customers towards a new guide from The Institute of Internal Auditors. The guide helps internal auditors ask the right questions of the IT security staff. It also helps an auditor recognize when an organization is using best practices when managing vulnerabilities and when they are not. If you are not involved in performing audits, but are the one being audited, this guide can help you prepare for the tough (or easy) questions which may be asked of you. 

The IIA has published many guides for auditing internal controls, mitigating risk and auditing technology. The technology audit guides are called "GTAGs" which stands for Global Technology Audit Guides. This latest is the sixth in a series. Previous GTAGs covered topics such as patch management, auditing IT controls,  and managing privacy risk. The IIA has created a reference powerpoint presentation here which summarizes all GTAGs.

Readers of this new guide on auditing IT vulnerabilities should expect to understand:

  • how to differentiate between high and low performing vulnerability management organizations
  • how organizations progress their vulnerability management techniques from a technology based approached, to a risk-based approach and ultimately to a process based approach
  • how to articulate recommendations for vulnerability management to chief executives

Regardless of your technical prowess or your political position in your organization, there should be something in this for anyone involved with IT security audits. My personal favorite is the section on the "Top 10 Questions" you should ask about vulnerability management. The questions are:

  1. What percent of total systems are monitored or scanned?
  2. How many unique vulnerabilities exist in your enterprise?
  3. What percentage of systems are managed?
  4. What percent of vulnerabilities have you validated?
  5. What is the mean time to remediate a vulnerability?
  6. What percentage of actionable vulnerabilities was remediated in the past quarter?
  7. What percent of your operation level agreements are met?
  8. What percent of IT Security work is unplanned?
  9. How many security incidents have you experienced during the past quarter?
  10. What was the average cost of your last five security incidents?

The reason I like this section is that for each of these questions, the guide provides you example answers from a "low performer", "high performer" and a "manager in denial". Sharp auditors who follow the GTAG will be looking for responses along these lines, so I highly recommend folks be familiar with these sections and have their answers with data to back them up ready.

I also like these questions because I know that organizations who use Nessus, the Security Center and the Passive Vulnerability Scanner have an easier time answering these questions. I regularly speak with customer who "confirm" network based vulnerabilities discovered with Nessus or the PVS with an agent-less patch audit also performed by Nessus. I also know that many of the reporting features we've put into the Security Center came as requests directly from customers who had to produce reports and data similar to what the GTAG is asking.

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security