Our client’s need

A large, private research university needed help to review the vulnerability management processes managed by IT.

Baker Tilly solution

Serving the university’s internal audit function, Baker Tilly reviewed vulnerability management processes and validated the approach to resolve vulnerabilities and mitigate the risk to university systems and data. We interviewed stakeholders and walked through processes to understand:

• Responsibilities for vulnerability identification, prioritization and resolution
• The process for detection and validation of vulnerabilities
• How vulnerabilities are prioritized and risks are assessed
• How IT monitored vulnerability resolution

We reviewed the results of recent vulnerability scans to validate that vulnerabilities were resolved following the established practices. We analyzed metrics for measuring vulnerability management practices and recommended enhancements to better measure the successes of vulnerability management. Finally, we analyzed the intersection of the vulnerability management and other key IT process areas, including asset management, change management and patch management.

Results achieved

The university and IT received the results of our analysis, including recommendations for improvement of controls around the vulnerability management process. Our work helped the university better understand the risks of potential exposure or loss of university data, impacts to system availability, and ultimately improve vulnerability remediation and monitoring processes.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.