This project draws on real consulting work, with all company details fully anonymised.
Carried out a comprehensive audit of the vulnerability management program at Straton Blank Ltd (SBL), evaluating its effectiveness in protecting critical systems. This end-to-end project involved creating both the operational analysis tool Vulnerability Management Dashboard and the formal strategic Vulnerability Management Audit Report
The audit focused on a key business risk: the repeated failure to meet internal remediation deadlines, which exposed the company to security breaches and compliance issues.
- Analysis of the Dashboard showed critical vulnerabilities, such as missing Windows updates, consistently exceeding the 14-day SLA.
- The Audit Report diagnosed root causes:
- Its "Adequate" Assurance Opinion confirmed controls had gaps.
- The Findings linked dashboard data to failures in oversight and coordination.
- Slow Critical Remediation: Breaches of the 14-day SLA were common. Recommendation: Establish a formal triage group, escalation rules, and SLA monitoring.
- Poor Team Coordination: Remediation was siloed across teams, reducing effectiveness. Recommendation: Establish cross-functional ownership with regular, documented review meetings to coordinate efforts.
- Vendor Patch Gaps: Supplier contracts lacked enforceable timelines, prolonging risk exposure. Recommendation: Update procurement clauses to mandate that suppliers remediate vulnerabilities within defined, industry-standard timeframes.
The audit highlighted that a dashboard is only as effective as its governance framework. The key was connecting operational data to process failures to drive actionable fixes.
For future improvement, integrating the dashboard with the corporate ITSM system would automate ticketing and escalations, ensuring accountability and closure.