I'd like to point all Nessus users and Tenable customers towards a new guide from The Institute of Internal Auditors. The guide helps internal auditors ask the right questions of the IT security staff. It also helps an auditor recognize when an organization is using best practices when managing vulnerabilities and when they are not. If you are not involved in performing audits, but are the one being audited, this guide can help you prepare for the tough (or easy) questions which may be asked of you.
The IIA has published many guides for auditing internal controls, mitigating risk and auditing technology. The technology audit guides are called "GTAGs" which stands for Global Technology Audit Guides. This latest is the sixth in a series. Previous GTAGs covered topics such as patch management, auditing IT controls, and managing privacy risk. The IIA has created a reference powerpoint presentation here which summarizes all GTAGs.
Readers of this new guide on auditing IT vulnerabilities should expect to understand:
- how to differentiate between high and low performing vulnerability management organizations
- how organizations progress their vulnerability management techniques from a technology based approached, to a risk-based approach and ultimately to a process based approach
- how to articulate recommendations for vulnerability management to chief executives
Regardless of your technical prowess or your political position in your organization, there should be something in this for anyone involved with IT security audits. My personal favorite is the section on the "Top 10 Questions" you should ask about vulnerability management. The questions are:
- What percent of total systems are monitored or scanned?
- How many unique vulnerabilities exist in your enterprise?
- What percentage of systems are managed?
- What percent of vulnerabilities have you validated?
- What is the mean time to remediate a vulnerability?
- What percentage of actionable vulnerabilities was remediated in the past quarter?
- What percent of your operation level agreements are met?
- What percent of IT Security work is unplanned?
- How many security incidents have you experienced during the past quarter?
- What was the average cost of your last five security incidents?
The reason I like this section is that for each of these questions, the guide provides you example answers from a "low performer", "high performer" and a "manager in denial". Sharp auditors who follow the GTAG will be looking for responses along these lines, so I highly recommend folks be familiar with these sections and have their answers with data to back them up ready.
I also like these questions because I know that organizations who use Nessus, the Security Center and the Passive Vulnerability Scanner have an easier time answering these questions. I regularly speak with customer who "confirm" network based vulnerabilities discovered with Nessus or the PVS with an agent-less patch audit also performed by Nessus. I also know that many of the reporting features we've put into the Security Center came as requests directly from customers who had to produce reports and data similar to what the GTAG is asking.