Cybersecurity of IT Servers
Audit snapshot
Do agencies' cybersecurity measures protect their IT servers from threats?
Why we did this audit
In 2023, 9 out of 10 Victorian Government organisations experienced a cyber incident. A successful cyber attack can lead to confidential or sensitive information being leaked and can disrupt communication networks and critical infrastructure.
Agencies use IT servers (servers) to store, process and share information to support service delivery. Servers are central to IT systems because they let multiple users access valuable information and functions. If servers are unidentified, do not have mature security controls or have out-of-date operating systems, this can make it easier to gain unauthorised access to information and systems.
Effective cybersecurity measures help protect servers against cyber threats. This audit assessed if government agencies:
- know what servers they have
- implement mature security controls to their servers
- check that the controls they apply work as intended.
This is our second report examining cybersecurity in the Victorian Public Service. Our first report in 2023 found that audited agencies could improve their cloud-based identity management and device management controls.
Key background information
Source: VAGO.
What we concluded
Each agency can do more to improve its server security.
A complete and accurate server inventory is a critical foundation for effective cybersecurity. No audited agency has a complete and accurate inventory of their servers. Without this, agencies cannot reliably apply, manage or monitor the technical security controls needed to protect their servers.
All agencies have outdated operating systems and some servers that lack mature technical security controls. These gaps expose agencies to cyber threats and increase the risk of successful cyber attacks.
We made 2 recommendations for all agencies to improve tracking of their servers and to strengthen the technical security controls applied to them. We made one recommendation for the Department of Government Services to issue guidance on expectations for server security.
Video presentation
1. Our key findings
What we examined
Our audit followed 2 lines of enquiry:
1. Do agencies track all their servers and apply foundational security controls to them?
2. Do agencies monitor their server security and strengthen it in response to threats?
To answer these questions, we examined:
- server inventory information
- technical security controls applied by agencies to their IT servers against the Microsoft cloud security benchmark (MCSB)
- threat and vulnerability monitoring and reporting activities.
We gathered information on technical security controls applied by agencies via a survey and interviews.
Background information
Why server security is important
Victorian Government agencies use servers to store, process and share information and programs to support service delivery and administration. Servers can contain personal or sensitive information about public sector employees or users of public services.
A single vulnerable server can be a pathway for cyber attackers to compromise an IT system or gain unauthorised access to information.
Applying effective cybersecurity measures to IT infrastructure, including servers, is essential to reducing the risk of cybersecurity incidents.
Server
A physical (hardware) or virtual (software) computer that provides services over a digital network to other computers. For example, servers run operating systems and applications, host databases and store information.
Incident
An event that actually or potentially threatens the confidentiality, integrity or availability of an information system or the information the system processes, stores or transmits. An incident can also be a violation or imminent threat of violation of security policies, security procedures or acceptable-use policies.
Vulnerability
A weakness in an information system, its security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
The zero-trust model
Zero trust is a security model based on the position of not trusting anything inside or outside an agency’s network. Infrastructure is one of the 6 pillars of zero trust, and servers are part of the infrastructure pillar.
Server security must work with protections across all other pillars of the zero-trust model to optimise cybersecurity.
Figure 1: The 6 pillars of zero trust
Source: VAGO, based on information from Microsoft.
Cybersecurity
Cybersecurity is the practice of protecting the confidentiality, integrity and availability of computer systems and information.
Cybersecurity standards, strategies and frameworks
The Victorian Government provides agencies with various standards, strategies and frameworks about cybersecurity.
| In … | the Victorian Government provides information on … |
|---|---|
Victoria's Cyber Strategy 2021
| its cyber agenda and defines its long-term objectives.
|
the Victorian Government Digital Strategy 2021–26
| its vision for digital transformation, including:
|
the Victorian Government IT Asset Management Guidance
|
|
the Victorian Protective Data Security Standards
|
|
the Asset Management Accountability Framework
| asset management, including information management, over the asset lifecycle.
|
the Victorian Government Cloud Security Guidance
| making informed, risk-based decisions about using cloud services.
|
Difference between ICT and IT
ICT is a broader term that includes IT and other communications technologies, such as telecommunications.
IT is a subset of ICT that focuses on using systems for storing, retrieving and sending information.
Roles and responsibilities
Agencies are accountable for the cybersecurity of their servers. Standard 11 in the Victorian Protective Data Security Standards requires agencies to establish, implement and maintain ICT security controls.
Some agencies manage their own servers, and some choose to engage a service provider to manage all or part of their server inventory and security.
The Victorian Government Cloud Security Guidance outlines that agencies:
- are responsible for understanding if the security capability provided by a third party is appropriate to the risk within their IT environments
- should determine if any further controls are required.
Even if an agency outsources its server security, it is responsible for:
- ensuring the controls implemented are appropriate for its risk profile and appetite
- ensuring security controls are effective.
Department of Government Services
The Department of Government Services (DGS) is the agency responsible for cybersecurity across government, specifically through its cybersecurity unit.
The cybersecurity unit supports Victorian government agencies with:
- expert cybersecurity threat advice
- strategic guidance
- risk analysis and assurance.
The cybersecurity unit also implements the Mission Delivery Plans under Victoria’s Cyber Strategy 2021.
Cenitex
Cenitex is a state-owned enterprise that delivers ICT services to Victorian Government departments and agencies. Cenitex manages a suite of IT products. It is not mandatory for government agencies to use Cenitex's services, though many do. Some agencies use other third-party service providers.
Technical security controls
The technical security measures that agencies use to protect their servers, such as configurations, settings and policies.
How we have reported findings for individual agencies
We audited the cybersecurity measures applied to servers of Victoria's 10 government departments and Cenitex. Due to the sensitive nature of the security weaknesses we found, our report does not attribute findings to particular agencies. Each agency has received a separate report outlining the weaknesses we found in their technical security controls.
The Department of Health (DH) is represented across 2 entities in our analysis, reflecting the structure of its server environment:
- Health Technology Services is a business unit in DH that provides ICT services to health service providers. In this report, Health Technology Services is treated as a separate entity.
- Other business units of DH share a server platform with the Department of Families, Fairness and Housing. This shared environment is treated as a single entity for the purposes of our report.
What we found
This section focuses on our key findings, which fall into 2 areas:
1. No agency has a complete and accurate server inventory.
2. All agencies can improve the maturity of technical security controls applied to their known servers.
The full list of our recommendations, including agency responses, is at the end of this section.
Consultation with agencies
When reaching our conclusions, we consulted with the audited agencies and considered their views.
You can read their full responses in Appendix A.
Key finding 1: No agency has a complete and accurate server inventory
No agency provided us with a complete and accurate server inventory. Maintaining a complete and accurate server inventory, including each server’s key attributes, is a foundation of effective cybersecurity. Without this, agencies cannot make sure appropriate controls are in place.
Automated asset discovery tools are not set up to capture all servers
Automated asset discovery tools can provide agencies with visibility over:
- what servers they have
- where their servers are located
- how their servers are being used.
The Victorian Government IT Asset Management Guidance and the MCSB point to using automated asset discovery tools as best practice when managing server assets.
Six agencies use passive or active automated asset discovery tools to identify the servers in their network. However, none of these agencies had their automated asset discovery tools set up to cover their entire server environment. This increases the risk that agencies' inventories are incomplete or outdated.
Not all agencies reconcile server information
Agencies can compare and reconcile different information sources to verify their server inventory.
Three agencies reconcile their server inventory across all their server environments. These agencies use processes such as completing an audit of their server inventory and manual verification of server entries.
Server reconciliations are not, however, considered best practice on their own. Best practice typically involves automated asset discovery.
All agencies have server information that is inaccurate or incomplete
We asked all agencies to provide us with an inventory for all their on-premises and infrastructure as a service (IaaS) servers.
Server inventories for all agencies contained incomplete information, such as missing:
- operating system version names or numbers
- host names
- location information.
Eight agencies’ inventories included duplicated server records. This points to weaknesses in how agencies track their server environments.
Infrastructure as a service (IaaS)
A cloud-computing model that delivers on-demand servers, storage and networking. This allows businesses to rent resources, adjust to changing demands for resources and reduce hardware costs.
Addressing this finding
To address this finding, we have made one recommendation to all agencies to improve tracking and accountability for their servers.
Key finding 2: All agencies can improve the maturity of technical security controls applied to their known servers
All agencies have applied technical security controls to their servers. However, the maturity of these controls is low when compared with industry benchmarks.
All agencies are running servers with outdated operating systems. This provides them with a lower level of protection than more recent systems.
Agencies’ technical security controls have low maturity based on industry benchmarks
We considered the maturity of the technical security controls applied by agencies across key elements of server security, including operating systems, security baselines and backup and monitoring. We based our analysis on the MCSB.
Based on this benchmark, we assessed that all agencies have low maturity in terms of the technical security controls applied to their known servers. Some agencies had a higher level of maturity for specific controls, demonstrating some elements of better practice for their known servers.
All agencies have servers with operating systems that are not receiving mainstream support
Most servers are running operating systems that are not receiving mainstream support.
We asked agencies to provide us with their server inventory information, including information on server operating systems. Twenty-five per cent of servers reported by agencies have operating systems that are unsupported and not receiving automatic security updates. A further 11 per cent of server entries reported by agencies had unknown operating systems.
All agencies have unsupported operating systems running on some servers. This makes them more vulnerable to cyber attacks.
All agencies monitor their servers for threats and vulnerabilities. However, agencies cannot be sure that their monitoring activities are fully effective until they address identified gaps in their server inventories and technical security controls.
Cyber attack
A cyber attack is a deliberate attempt by an individual or group to breach, damage or disrupt:
- computer systems
- networks
- digital devices.
This is often for malicious purposes.
Addressing this finding
To address this finding, we have made:
- one recommendation to all agencies about strengthening the technical security controls on their known servers
- one recommendation to DGS about issuing guidance relating to minimum requirements for technical security controls for all Victorian government agencies.
2. Our recommendations
We made 3 recommendations to address our findings. The relevant agencies have accepted the recommendations in full or in principle.
| Recommendation | Agency response(s) | |||
|---|---|---|---|---|
| Finding: No agency has a complete and accurate server inventory | ||||
All agencies
| 1
| Improve their tracking of all IT servers by (where necessary):
| Accepted in principle by Department of Health, Department of Families, Fairness and Housing, Department of Jobs, Skills, Industry and Regions and Department of Transport and Planning Accepted by all other agencies
| |
| Finding: All agencies can improve the maturity of technical security controls applied to their known servers | ||||
All agencies
| 2
| Strengthen technical security controls by:
| Accepted in principle by Department of Energy, Environment and Climate Action, Department of Jobs, Skills, Industry and Regions and Department of Transport and Planning Accepted by all other agencies
| |
Department of Government Services
| 3
| In consultation with relevant agencies, issue guidance to agencies that establishes requirements for:
| Accepted
| |
3. Agencies' server inventories
No audited agency has a complete and accurate server inventory.
Automated asset discovery tools used by agencies do not capture all servers, and few agencies use reconciliations to crosscheck their server inventory. All agencies provided us with server inventory information that had either incomplete or duplicate entries.
If agencies are not accurately tracking all their servers, they do not have all the information they need to protect their IT infrastructure.
Covered in this section:
- Application of automated asset discovery tools
- Reconciliation of server inventory information
- Incomplete and inaccurate server information
Application of automated asset discovery tools
Maintaining visibility of IT assets
According to the Victorian Government IT Asset Management Guidance, agencies' IT asset registers should hold complete and correct data to avoid IT assets being overlooked. This guidance recommends using automated discovery or scanning tools to help agencies maintain visibility of IT infrastructure.
It can be difficult for one automated asset discovery tool to achieve complete and consistent coverage in a complex IT infrastructure environment such as in many Victorian Government agencies. Agencies may choose to use a range of automated discovery tools suitable to their server environment.
The MCSB
The MCSB is a globally accepted benchmark of best-practice security for a multi-cloud environment. It includes a set of recommendations for organisations to secure cloud services, including security controls and baselines.
The MCSB recommends that organisations track their asset inventory and their risks by using automated asset discovery tools to discover their assets. It recommends tagging and grouping assets based on their:
- service nature
- location
- other characteristics.
Agencies' use of automated asset discovery tools
We surveyed agencies to assess the technical security controls they apply to their servers. We asked agencies if they use automated asset discovery tools across their entire server environment.
| In response to our survey … | reported … | across … |
|---|---|---|
| 3 agencies | that they do not use automated asset discovery tools | any of their servers. |
| 2 agencies | using automated asset discovery tools | some of their servers. |
| 4 agencies | their entire server environment. |
This analysis relates to agency responses to our technical security controls survey (9 of 11 audited agencies provided a response).
We tested the settings of the automated asset discovery tools of the 4 agencies that reported using them across their entire server environment. We found that none had their automated asset discovery tools set up to scan for servers across their entire network.
This means that agencies may have servers they do not know about.
Reconciliation of server inventory information
Reconciliation processes
Three agencies carry out reconciliations to track their servers. These processes include:
- manually verifying server entries
- regular audits (including physical audits)
- using secondary tools to monitor server status and manually reflect updates in a master document.
An additional 2 agencies have reconciliation or audit processes for some, but not all, of their server environments.
Server reconciliations can help identify gaps in server inventories, but they are not considered best practice on their own. Best practice typically involves using automated asset discovery tools.
Incomplete and inaccurate server information
Agencies' server inventories
In January 2025, we asked all agencies to provide us with their server inventories for all on-premises and IaaS servers. We asked them to provide these in lists or in registers.
We asked agencies to include information relating to:
- server location (whether the server is a physical or virtual server)
- operating system and version
- host names.
The information we asked for is consistent with the MCSB, which recommends that assets are organised based on their:
- service nature
- location
- other characteristics.
We asked for information on servers managed by agencies and third-party providers. Cenitex provided information for servers it manages on behalf of audited agencies.
Incomplete and inaccurate server information
We analysed the server information agencies provided us and found that all agencies provided an incomplete server inventory. This means that the server inventory was missing information about its:
- operating system version name or number
- host name
- location.
Eight agencies also had duplicate records for the same server entry. The number of duplicate records across agencies ranged from 4 to over 1,000. Duplicates suggest the information has been entered or collated manually, which can increase the risk of inaccurate information.
Incomplete server inventory information can make it harder for agencies to identify and respond to risks that are not captured in this information. These risks include operating systems or servers not receiving mainstream support.
These findings highlight significant weaknesses in how agencies track their server environments.
Informed by our audit findings, some agencies did follow-up work to resolve missing and duplicated information.
Impact of incomplete and inaccurate information
For agencies to secure their servers and apply foundational technical security controls to them, they must first know what servers they have.
Without a complete and accurate server inventory, agencies cannot effectively manage their server security.
Agencies also cannot know what technical security controls are applied to servers that they do not know about.
4. Server security controls
All agencies can improve the technical security controls applied to their known servers.
Based on our assessment against established industry benchmarks, the maturity level of technical security controls applied by all agencies to their known servers is low.
Most known servers are running operating systems that are not receiving mainstream support.
These factors increase the risk that agencies will not detect server vulnerabilities.
Given the weaknesses we identified in each agency’s server inventory (as explained in Section 3), the following information reflects servers that the agencies know about.
Agencies' security controls and monitoring activities will only be fully effective if they are applied to all their servers.
Covered in this section:
- Maturity of technical security controls applied to servers
- Servers’ operating systems
- Monitoring and reporting threats and vulnerabilities
Maturity of technical security controls applied to servers
Benchmarks and standards for technical security controls
Standard 11 of the Victorian Protective Data Security Standards requires Victorian Government departments to establish, implement and maintain ICT security controls.
The MCSB provides a globally accepted benchmark that reflects best-practice technical security controls for a multi-cloud environment.
We developed a model based on the MCSB. We used this to assess the maturity of agencies' technical security controls applied to their servers.
While the model is based on the MCSB, we also considered equivalent controls under other widely accepted industry benchmarks, such as those established by the:
- Center for Internet Security
- National Institute of Standards and Technology.
This provided a consistent framework to assess agencies’ technical security controls.
VAGO's maturity model for server security
In our maturity model, we looked at all MCSB controls relevant to server security and grouped them into 5 key elements.
| The ... | element is important because … |
|---|---|
| operating system version | using a vendor-supported operating system ensures access to critical security updates and patches. |
| industry-standard hardened images | they provide a uniform approach for reducing server vulnerabilities. |
| industry security baselines | they establish a minimum security standard and help to assess if new or critical security controls are in place. |
| access control and patching | it limits unauthorised access and fixes known vulnerabilities. |
| backup and monitoring | it better enables an agency to identify, respond to and recover from security threats and risk. |
Maturity levels range from level 1 at the lowest end through to level 5. These levels are based on the impact the controls have on the risk environment and are defined below.
- Level 1 (initial): high risk with lack of controls, or inconsistently applied basic compliance controls.
- Level 2 (managed): moderate risk with basic compliance controls.
- Level 3 (defined): moderate to low risk with some manual controls and slower response.
- Level 4 (proactive): low risk with strong, reliable controls.
- Level 5 (optimised): very low or minimal risk with highly secure controls.
Our maturity model is set out in full in Appendix D.
Industry-standard hardened images
A system image is a copy of a computer’s entire system. Industry-standard hardened images are system images that have been preconfigured to meet industry best practices. This includes those in the Center for Internet Security’s benchmarks and the National Institute of Standards and Technology’s guidelines.
Patching
Patches are software and operating system updates that address security vulnerabilities within a program or product.
Agency assessments
We surveyed agencies to assess the technical security controls they apply within each of the 5 elements in our maturity model.
Nine agencies responded. We note that 2 agencies outsource their server management to Cenitex. These agencies did not provide a response to our survey. The technical security controls for these agencies are reflected in the survey responses provided by Cenitex.
Our assessment of the maturity of agencies’ technical security controls is summarised in Figure 2.
All agencies can improve the maturity of technical security controls applied to their known servers.
For overall maturity, we assessed all agencies as being at level 1, which is equivalent to a high-risk environment.
Across the 5 key elements of server security, we assessed all agencies as being at level 1 (the lowest level on our maturity model) for operating system version.
Some agencies achieved higher outcomes across other elements. For example, we assessed one agency at level 3 for industry security baselines.
Figure 2: Our assessment of agencies' technical security controls maturity
Note: Number represents number of agencies who reached that level for the particular element.
Source: VAGO.
Our assessment reflects a cumulative approach, which is consistent with the approach taken by the Australian Signals Directorate’s Essential Eight model. This approach requires an organisation to implement all controls at a certain level to progress to the next.
For example, for an agency to reach level 3 maturity overall, it would need to have all level 3 and all lower-level technical security controls in place across the 5 elements. This recognises that gaps in these lower-level controls can undermine the effectiveness of more advanced protections elsewhere.
We made our assessments at an agency level. This means that we took the lowest level achieved by any business unit of an agency (where an agency provided this detail to us) as the agency’s overall rating.
Impacts of low technical security controls maturity
Without sufficient and effective safeguards, agencies are exposed to increased risks of cyber attacks such as:
- unauthorised access
- information breaches
- operational disruptions.
During the audit, some agencies noted that they use 'compensating controls' not captured by the MCSB or equivalent standards. Some agencies may apply these controls where they cannot apply the recommended technical security control. These compensating controls include:
- internal policies
- security tools
- review processes.
We did not assess controls outside of our server security maturity model as this is not within the scope of this audit.
Improvements to agencies' technical security controls
Following the conduct phase of our audit, we asked agencies to update us on their planned initiatives to improve their technical security controls.
One agency plans to develop a cybersecurity controls and assurance framework, which will include controls around IT asset management as well as managing access to server accounts.
Another agency is establishing a cybersecurity committee. It will also implement a program to carry out:
- vulnerability management through server scanning and monitoring
- regular penetration testing to identify vulnerabilities in server security.
Another agency anticipates having automated asset discovery tools in place by November 2025.
Servers’ operating systems
Importance of supported operating systems
The version of an operating system is a key indicator of a server’s security maturity.
Servers can be running on operating systems that are either:
- in mainstream support (actively supported by the vendor)
- in extended support (receiving limited updates)
- unsupported (no longer receiving security updates, bug fixes or technical assistance).
Servers running operating systems that are in mainstream support typically:
- receive critical security updates
- receive the latest security features
- integrate with other protective tools.
Outdated or unsupported operating systems typically lack these capabilities.
Servers with operating systems that are unsupported or running on extended support may require increased monitoring and custom solutions or services. These could be costly and inefficient compared to supported operating systems. For example, servers on extended support require an end-of-life plan before the operating system becomes unsupported.
Operating system
An operating system is a program that runs on a computer and provides a software platform on which other programs can run.
Servers with unsupported operating systems
In January 2025, we asked agencies to provide us with their server inventory information, including the operating system and version for each server. We used this information to assess the status of support provided to operating systems running on known servers.
Our analysis of this information showed that 25 per cent of server entries reported by agencies had operating systems that are unsupported.
A further 11 per cent had unknown operating systems. Operating system names and numbers in these server records were either missing or incomplete. These servers are at higher risk of security breaches. This is shown in Figure 3.
All agencies reported some servers running unsupported operating systems or with an unknown status.
Figure 3: Status of operating systems across all agencies by percentage of servers
Note: Percentages do not add up to 100 per cent due to rounding.
Source: VAGO, based on agencies’ server inventory information.
Servers with operating systems approaching end of life
We asked agencies 2 questions about how they manage servers using operating systems that are at, or approaching, end of life (unsupported).
| We asked agencies if they have … | and we found … |
|---|---|
| a tool in place to track the lifecycle of server assets, including operating systems at end of life | 4 agencies have this. |
| a process for managing operating systems that are approaching end of life | 3 agencies (including 2 mentioned above) have this. |
This analysis relates to agency responses to our technical security controls survey. Nine of 11 audited agencies provided a response.
Agencies that do not track the lifecycle of their assets, including if they are reaching end of life, will not know when their servers need to be updated or decommissioned.
Monitoring and reporting threats and vulnerabilities
Monitoring cyber threats
Victorian Government agencies are accountable for protecting their networks against cyber threats.
The implementation guidance for the Victorian Protective Data Security Standards recommends that agencies log system events and actively monitor them to detect potential security issues.
The guidance does not direct agencies to use a specific process or requirement for detecting threats. Instead, it is up to each agency to decide how they monitor and protect against cyber threats.
Cyber threat
Any circumstance or event affecting an information system that has the potential to negatively impact an organisation's operations, assets or individuals. This can be through:
- unauthorised access to information
- destruction of information
- disclosure of information
- modification of information
- denial of service.
All agencies monitor cyber threats and incidents
We assessed if all agencies monitor cyber threats and incidents. We found that all agencies have mechanisms in place to do so.
We found that all agencies:
- have an automated threat alert system in place
- have a cybersecurity incident register, or equivalent, to log incidents
- use intrusion and prevention detection systems. These are tools that agencies can use to protect their servers by blocking or detecting cyber threats.
Monitoring server vulnerabilities
Vulnerability scanning helps agencies identify security vulnerabilities, both known and potential.
The implementation guidance for the Victorian Protective Data Security Standards suggests that organisations carry out vulnerability management activities prioritised by risk. These activities can include:
- patch management
- penetration testing
- using continuous monitoring systems.
The Victorian Government IT Asset Management Guidance recommends that agencies receive regular information on vulnerabilities impacting their IT assets.
Not all agencies proactively manage server vulnerabilities
We asked agencies for information on how they monitor their servers for vulnerabilities. We found that not all agencies are proactively managing all their servers for vulnerabilities.
This may mean that agencies are not effectively reducing the risk of these servers being exploited by cyber attackers.
| We found … | agencies … | which helps them to… |
|---|---|---|
| 7* | monitor for vulnerabilities | identify where weaknesses and risks exist and reduce them accordingly. |
| 8* | perform regular vulnerability scans to detect missing patches | keep their IT systems up to date with the latest security patches. |
| 5* | prioritise patching based on a risk-scoring model | |
| 7 | conduct regular penetration testing of their servers | find and exploit vulnerabilities in IT systems. By simulating attacks, testers can identify weak spots in systems that could be exploited by real-world attackers. |
*This analysis relates to responses to our technical security controls survey, to which only 9 out of 11 agencies responded.
Reporting on server threats and vulnerabilities
We assessed if all agencies report on their server threats and vulnerabilities.
We found that all agencies report internally on their monitoring of server threats and vulnerabilities at least monthly, with some agencies reporting this information fortnightly or weekly.
Appendix A: Submissions and comments
Download a PDF copy of Appendix A: Submissions and comments.
Appendix B: Abbreviations, acronyms and glossary
Download a PDF copy of Appendix B: Abbreviations, acronyms and glossary.
Appendix C: Audit scope and method
Download a PDF copy of Appendix C: Audit scope and method.
Appendix D: VAGO's maturity model for server security
Download a PDF copy of Appendix D: VAGO's maturity model for server security.
Download Appendix D: VAGO's maturity model for server security