What is it?
A process for defining, identifying, classifying, and prioritizing potential weaknesses in an organization’s computer, network, and communications infrastructure, also known as vulnerability analysis or security assessment.
Why is it important?
When conducted correctly, results from a vulnerability assessment can be used to define or update an organization’s internal and external network as well as its information security policies.
Why does a business professional need to know this?
Vulnerability assessments provide cybersecurity specialists, and the organizations they serve, with a reasonable level of assurance that their information is safeguarded against known threats such as viruses, adware, spyware, trojans, worms, backdoors, bots, and Potentially Unwanted Programs (PUP)[Schaffzin-Jeff 1].
Vulnerability assessments help cybersecurity specialists determine where to allocate finite resources to minimize the potential for security breaches. They also help organizations determine what course of action to follow if – and when – threats are discovered. Business professionals must understand the elements of a vulnerability assessment and support their cybersecurity specialists in creating one and keeping it up to date.
For organizations that are mandated to follow specialized security standards (e.g., HIPAA[Schaffzin-Jeff 2], PCI DSS[Schaffzin-Jeff 3], or GDPR[Schaffzin-Jeff 4]) vulnerability assessments can help identify areas of weakness that need hardening.
Vulnerability assessments may include the following:
- Cybersecurity audits: audits to evaluate and demonstrate compliance with government-imposed regulations. Cybersecurity audits have both a tactical and strategic component – tactically, they help organizations comply with security standards, and strategically, they help organizations monitor their internal security efforts.
- Penetration tests: authorized testing of a computer system or network with the intention of finding vulnerabilities. Penetration tests are typically intended to counter specific threats, such as attempts to steal customer data, gain administrative privileges, or modify salary information.
- White/grey/black-box assessments: three different approaches to vulnerability assessments. The color refers to how much internal information is given to the tester: white box gives the tester access to all internal information, black box gives the tester zero internal information, and grey box gives the tester a limited amount of information, for example the internal data structures.