The information risk manager at a global retail banking organization struggled to quantify the business risk that imperfect server operating systems posed. In order to control that risk, she wanted to prove that her IT operations team was meeting the bank's server OS compliance and maintenance goals. After defining server security requirements and using automated penetration testing and configuration management tools, she was able to evaluate the overall server compliance rate. Armed with knowledge of the greatest areas of risk, she efficiently allocated her budget to reduce that risk and easily justified those decisions to her supervisors.