Definitions[]
Vulnerability assessment (VA) is "a formal description and evaluation of the vulnerabilities in an information system."[1]
Vulnerability assessment is
“ | [a]n examination of the ability of a system or application, including current security procedures and controls, to withstand assault. A vulnerability assessment may be used to: (1) identify weaknesses that could be exploited; and (2) predict the effectiveness of additional security measures in protecting information resources from attack.[2] | ” |
“ | the systematic examination of a critical infrastructure, the interconnected systems on which it relies, its information, or product to determine the adequacy of security measures, identify security deficiencies, evaluate security alternatives, and verify the adequacy of such measures after implementation.[3] | ” |
“ | [the] [s]ystematic examination of an IT and ICS or product to determine the adequacy of cybersecurity measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed cybersecurity measures, and confirm the adequacy of such measures after implementation.[4] | ” |
“ | [the] product or process of identifying physical features or operational attributes that render an entity, asset, system, network, or geographic area susceptible or exposed to hazards.[5] | ” |
Overview[]
"Vulnerability assessments can produce comparable estimates of vulnerabilities across a variety of hazards or assets, systems, or networks.[6]
References[]
- ↑ NIST Special Publication 800-53; CNSSI 4009.
- ↑ Practices for Securing Critical Information Assets, Glossary, at 59.
- ↑ President's Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America’s Infrastructures, Glossary (full-text).
- ↑ Electricity Subsector Cybersecurity Risk Management Process, at 69.
- ↑ DHS Risk Lexicon, at 39.
- ↑ Id.