Problem Statement: Today’s cybersecurity threats require organizations to constantly check for vulnerabilities. An information system vulnerability assessment is a strategic decision to identify vulnerabilities and cybersecurity gaps in an organization’s information systems. Existing literature tells us that the daily practice of security vulnerability assessment is an important organizational strategy. This study assesses an Ethiopian bank to identify its cyber security practices and suggests ways to improve information system vulnerability and steps to make it a daily practice. Methodology: A qualitative case study research method is applied. We collect data through interviews and document analysis. Eight respondents were intentionally selected based on their participation in the organization’s vulnerability assessment. The thematic analysis technique is applied to analyze the data. Findings: Investigation revealed cyber security vulnerabilities; Weaknesses and gaps in the cybersecurity practices of the case bank were identified. No defined vulnerability assessment methods were found. Vulnerability gaps have been identified in many of the bank’s processes, including vulnerability assessment, risk assessment, remediation, verification, and monitoring. Conclusion: The study identified challenges including lack of staff knowledge and understanding of vulnerability assessment, lack of professionals trained to perform vulnerability testing, managers’ negative perceptions of scanning and remediation responsibilities, and lack of of pre-defined standard operating procedures. The study concludes by recommending strategies for an effective vulnerability assessment process in banks.