A security assessment is conducted to determine the degree to which information system security controls are correctly implemented, whether they are operating as intended, and whether they are producing the desired level of security. A vulnerability assessment is conducted to determine the weaknesses inherent in the information systems that could be exploited leading to information […]
A security assessment is conducted to determine the degree to which information system security controls are correctly implemented, whether they are operating as intended, and whether they are producing the desired level of security. A vulnerability assessment is conducted to determine the weaknesses inherent in the information systems that could be exploited leading to information system breach. Without security and vulnerability assessments, the potential exists that information systems may not be as secure as intended or desired.
A security assessment policy should apply to all information systems and information system components of a given company. Specifically, it includes:
Security and vulnerability assessments should be performed against all information systems on a pre-determined, regularly scheduled basis. While both security and vulnerability assessments may be performed by internal staff on an on-going basis, it is recommended that third parties should be retained periodically to ensure appropriate levels of coverage and oversight.
Info-Tech Research Group has developed the following outline for conducting a thorough assessment. You can also download their Security Assessment Policy at no cost from the IT Business Edge Knowledge Network.
Click through for a 10-step security and vulnerability assessment plan outlined by Info-Tech Research Group.
Determine the scope of assessments to be performed.
Establish a prioritized assessment schedule.
Identify and gather required skills and tools.
Create an assessment implementation plan.
Review system documentation, including system configuration documents and system log files, to determine expected security configuration and capabilities of the system.
Identify and analyze the target system through investigative techniques that include network foot-printing, port and service scanning, and vulnerability assessment.
Validate vulnerabilities that may be discovered through techniques that include penetration testing, password cracking and social engineering.
Review validated assessment findings to determine the risk and cost impact on the organization.
Create a final report outlining the findings of the assessment.
Violations of any of the constraints of the established policies or procedures should be considered a security breach and, depending on the nature of the violation, various sanctions need to be taken. Such action may include a written reprimand for a minor breach, suspension for multiple minor breaches or a major breach, or termination for multiple major breaches.
The go-to resource for IT professionals from all corners of the tech world looking for cutting edge technology solutions that solve their unique business challenges. We aim to help these professionals grow their knowledge base and authority in their field with the top news and trends in the technology space.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
