What is it?
A process for defining, identifying, classifying, and prioritizing potential weaknesses in an organization’s computer, network, and communications infrastructure, also known as vulnerability analysis or security assessment.
Why is it important?
When conducted correctly, results from a vulnerability assessment can be used to define or update an organization’s internal and external network as well as its information security policies.
Why does a business professional need to know this?
Vulnerability assessments provide cybersecurity specialists, and the organizations they serve, with a reasonable level of assurance that their information is safeguarded against known threats such as viruses, adware, spyware, trojans, worms, backdoors, bots, and Potentially Unwanted Programs (PUP)(ITBusinessEdge 2014).
Vulnerability assessments help cybersecurity specialists determine where to allocate finite resources to minimize the potential for security breaches. They also help organizations determine what course of action to follow if -- and when -- threats are discovered. Business professionals must understand the elements of a vulnerability assessment and support their cybersecurity specialists in creating one and keeping it up to date.
For organizations that are mandated to follow specialized security standards (e.g., HIPAA(HIPAA), PCI DSS(PCI-DSS), or GDPR(General Data Protection Regulation)) vulnerability assessments can help identify areas of weakness that need hardening.
Vulnerability assessments may include the following:
- Cybersecurity audits: audits to evaluate and demonstrate compliance with government-imposed regulations. Cybersecurity audits have both a tactical and strategic component -- tactically, they help organizations comply with security standards, and strategically, they help organizations monitor their internal security efforts.
- Penetration tests: authorized testing of a computer system or network with the intention of finding vulnerabilities. Penetration tests are typically intended to counter specific threats, such as attempts to steal customer data, gain administrative privileges, or modify salary information.
- White/grey/black-box assessments: three different approaches to vulnerability assessments. The color refers to how much internal information is given to the tester: white box gives the tester access to all internal information, black box gives the tester zero internal information, and grey box gives the tester a limited amount of information, for example the internal data structures.
- (ITBusinessEdge 2014) 10-Step Security and Vulnerability Assessment Plan: ITBusinessEdge (2014). Slide deck. Suggests security and vulnerability assessments be performed against all information systems on a pre-determined, regularly scheduled basis. Recommends third parties be retained periodically to ensure appropriate levels of coverage and oversight. (source: Info-Tech Research Group).
- (HIPAA) HIPAA Overview: US Department of Health and Human Services (2015). Answers general questions regarding the Standards for Privacy of Individually Identifiable Health Information and the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
- (PCI-DSS) PCI DSS (Payment Card Industry Data Security Standard) Compliance Overview: TechTarget (2017). Overview of policies and procedures developed to protect credit, debit, and cash card transactions and prevent the misuse of cardholders’ personal information.
- (General Data Protection Regulation) GDPR (EU General Data Protection Regulation): Frequently asked questions regarding GDPR.