Regulators expect that a financial institution will have a vulnerability scan performed by an independent third party at least annually. This scan normally occurs during the annual audit, with the result being a thick report detailing every vulnerability that was discovered. This past week, I found myself having conversations with four different people about how to handle the results of these scans. Should each vulnerability be turned into a tracked audit finding? Should all of the high risks be combined into a single finding?
The problem I have with this question is that either way, we are only forcing an already busy IT department to track the vulnerabilities that they are already tracking in a different (and manual) way and actually diminishing the effectiveness of vulnerability management. As an industry, we are missing out on the value that these independent scans can and should offer.
The purpose of an audit should be to test a control. In the case of an audit of vulnerabilities, the control that should be tested is the existing vulnerability management program. But auditors who perform vulnerability scans rarely look at the results of internal vulnerability assessments at all.
What if, instead of simply providing vulnerability details, auditors compared their scans to those of the institution, interviewed staff that manage vulnerabilities, and provided a list of process-oriented findings instead? What if the auditor used this comparison to measure effectiveness by answering questions such as:
- Is the scope of scanning complete? Are all network assets being scanned?
- Are scanning tools accurately discovering vulnerabilities? Has the scan performed by the auditor found any critical vulnerabilities that were not discovered internally?
- Based on the age of discovered vulnerabilities which are remediated by patches, is patching being performed effectively?
- Based on the age of discovered vulnerabilities which require manual intervention, is IT effectively remediating vulnerabilities?
- For vulnerabilities which cannot be remediated, has management assessed and accepted the risk?
By focusing findings on these types of process-level questions, auditors could help their customers improve patching and vulnerability management processes better than they can with a simple list of vulnerabilities.
If your institution is having problems reconciling scans from auditors with the internal vulnerability management results to determine where process improvement can be improved. Email us at support@bedelsecurity.com.
Additional Resources:
Information Security Strategy: 5 Tips for Success
https://www.bedelsecurity.com/blog/information-security-strategy-5-tips-for-success
Reactive or Proactive: What Makes the Best CISO
https://www.bedelsecurity.com/blog/reactive-or-proactive-what-makes-the-best-ciso
The 3 Key Roles in Cybersecurity
https://www.bedelsecurity.com/blog/the-3-key-roles-in-cybersecurity
Making Strategic Planning Easy
https://www.bedelsecurity.com/blog/making-strategic-planning-easy
The Top 5 Benefits of a vCISO
https://www.bedelsecurity.com/blog/top-5-benefits-of-a-virtual-ciso