To understand how you can protect an organization's information technology properly through the use of a vulnerability assessment (VA), it is important to frame how you define a VA. For the context of this discussion, a VA is the process of identifying and quantifying vulnerabilities within a system. It can be used against many different types of systems, such as a home security alarm, a nuclear power plant, a military outpost, and a corporate computer environment. A VA is different from a risk assessment, even though they sometimes share some of the same commonalities.

VAs are concerned with the identification of vulnerabilities, the possibilities of reducing those vulnerabilities, and the improvement of the capacity to manage future incidents. In this article, I focus primarily on VA as it pertains to information technology infrastructures. Many times, an information technology VA can be conducted in conjunction with or overlapping a physical security VA. For the discussion here, I deal with information technology VAs only.

Preparation and Execution

A VA is a critical process that should be followed in any organization as a way to identify, assess, and respond to new vulnerabilities before they can be exploited by an external or internal threat. Generally, the assessing organization will perform a few common steps – outlined here and discussed in this article – when conducting a VA project for another organization:

1. Obtain written approval from the organization for which you are conducting the VA.
2. Find and document which information systems within the organization will be part of the VA and, just as importantly, which information systems will not be included.
3. Define what tools, processes, and steps will take place before, during, and after the VA is conducted.
4. Determine when the VA will occur (accurate date and time).
5. Conduct the VA.
6. Compile reports based on your findings from the VA.
7. Brief the organization in person and in writing of your findings from the VA.
8. If requested by the organization, put a plan in place to remediate the vulnerabilities found.

To understand how to frame a successful VA, a brief discussion of assets, threats, and vulnerability is useful.

Assets

An asset in the general sense is an organization's property or information that is of significant value (i.e., a critical asset). In risk management, an asset refers to the amount of damage losing an asset will cause if something bad occurs. Given that most enterprise networks have hundreds or thousands of networked information systems, vulnerability analysis and assessment by manual methods are virtually impossible. Additionally, it is impossible to ensure completely that all assets are secure. Therefore, it is imperative that information security managers and system owners focus on identifying only their critical assets – that is, those assets without which the organization's key missions would be significantly degraded or cease to function. This is a key part of the risk assessment process.

Threats

Risks to critical assets can come from a variety of threats that can be considered possible hazards and usually fall into three categories: man-made (intentional), natural disaster, and accidental (unintentional) disruptions. Therefore, an effective approach to threats will consider the full spectrum of threats and hazards, including natural disasters (e.g., floods, fires, hurricanes), domestic or international criminal activity, construction mishaps (e.g., cut fiber optic lines), and other types of incidents.