Vulnerability Assessment
Process to analyze, evaluate, and review entities (software applications, devices, networks, systems).
Identify and categorize issues that may be explored, or constitute risk to the normal operation of the entity.
Assessment vs Audit
Audit
Determines compliance to a standard.
Scope: A given standard and its control points.
Assessment
Determines how good/bad something is.
Scope: may be broad. It is driven by risk, compliance, and contractual requirements.
Aims to help improve systems.
They were done before the audit, to identify any loopholes.
It is done after the audit to measure how effective an audit is.
Relevant Reference
SANS Institute, Scoping Security Assessments - A Project Management Approach, 2020
Last updated