Vulnerability Assessment

Process to analyze, evaluate, and review entities (software applications, devices, networks, systems).

Identify and categorize issues that may be explored, or constitute risk to the normal operation of the entity.

Assessment vs Audit

Audit

  • Determines compliance to a standard.

  • Scope: A given standard and its control points.

Assessment

  • Determines how good/bad something is.

  • Scope: may be broad. It is driven by risk, compliance, and contractual requirements.

  • Aims to help improve systems.

  • They were done before the audit, to identify any loopholes.

  • It is done after the audit to measure how effective an audit is.

Relevant Reference

SANS Institute, Scoping Security Assessments - A Project Management Approach, 2020

Last updated