A security assessment is conducted to determine the degree to which information system security controls are correctly implemented, whether they are operating as intended, and whether they are producing the desired level of security. A vulnerability assessment is conducted to determine the weaknesses inherent in the information systems that could be exploited leading to information system breach. Without security and vulnerability assessments, the potential exists that information systems may not be as secure as intended or desired.
Vulnerabilities can pose significant risks to both businesses’ and consumers’ systems because attacks can threaten the access, availability, or confidentiality of systems, applications, and data.
Our assessment is based on how easy it is to exploit the vulnerability, the impact of the exploitation, the availability of exploit code, and other factors. These assessments are not subject to rigorous algorithmic measurement, so judgment calls are often made when assigning a risk level.