Automating vulnerability assessment & management

Friday 20th January, 2017

How the University of Winchester reduced its cyber security risk by automating vulnerability assessment, management and reporting

The challenge: Assessing vulnerabilities across the institution In today’s IT security environment, institutions know that risk assessment is a vital step on the road to risk reduction. When Sean Ashford, network and systems manager at the University of Winchester, conducted a detailed risk assessment of the Universities IT infrastructure, it was identified that a more pro-active and automated approach to assessing and managing vulnerabilities across the large network was needed. How else would Sean’s team identify, manage and patch all 150+ servers manually, without consuming all of their time.

The solution: Jisc’s vulnerability assessment and information service In May 2016, Ashford attended a presentation given by KHIPU Networks, who provide the Jisc vulnerability assessment and information service. This service automates the process of vulnerability scanning and provides reporting to help institutions prioritise and act on areas of risk. The University of Winchester procured the service via the Jisc framework – allowing Ashford to check his institution’s IT assets against an extensive list of potential security vulnerabilities.

Benefits to staff, students and reputation: Reduced IT security risk “One of the main benefits of the service, is that it reduces the University of Winchester’s overall vulnerability to a breach” giving Sean and his team greater peace of mind. “Our IT infrastructure is more stable, more up to date and more secure,” Ashford says. Granular reporting allows Ashford’s team to prioritise risk: the system not only supplies a list of vulnerabilities, but classifies these vulnerabilities by potential severity and by server (host). And best of all, it’s of practical use: “The report doesn’t only tell you what’s wrong; it also tells you how to remedy it,” says Ashford.

Efficiency benefits: The advantage of buying through Jisc Buying the system through Jisc’s purchasing framework allowed the University to procure and implement the service quickly, without delaying the start of its risk assessment and reduction process. Hence saving the University valuable time that it would otherwise have spent procuring from potential providers.

“It would take at least a year for one person to look at patching levels on each server and do a risk assessment on each one. Previously we’ve had external companies do vulnerability reports – but in nowhere near the amount of detail and without explanations on how to fix issues. The Jisc service looks at every element of your infrastructure and identifies anything that’s remotely vulnerable. We found the Jisc framework easy to use, and completely compatible with the university’s financial rules and regulations – which sped up procurement of the service”

Sean Ashford, Network and Systems Manager, University of Winchester

For further information, please go to the following Jisc websites:

For ongoing news visit Twitter and our Newsroom For further details on the services, please contact: