Page 1170 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1170
residual risk. Any losses that occur from residual risk are the
responsibility of management.
In contrast, an organization that never performs vulnerability scans
will likely have many vulnerabilities. Additionally, these vulnerabilities
will remain unknown, and management will not have the opportunity
to decide which vulnerabilities to mitigate and which ones to accept.
Vulnerability Assessments
A vulnerability assessment will often include results from vulnerability
scans, but the assessment will do more. For example, an annual
vulnerability assessment may analyze all of the vulnerability scan
reports from the past year to determine if the organization is
addressing vulnerabilities. If the same vulnerability is repeated on
every vulnerability scan report, a logical question to ask is, “Why
hasn’t this been mitigated?” There may be a valid reason and
management chose to accept the risk, or it may be that the
vulnerability scans are being performed but action is never taken to
mitigate the discovered vulnerabilities.
Vulnerability assessments are often done as part of a risk analysis or
risk assessment to identify the vulnerabilities at a point in time.
Additionally, vulnerability assessments can look at other areas to
determine risks. For example, a vulnerability assessment can look at
how sensitive information is marked, handled, stored, and destroyed
throughout its lifetime to address potential vulnerabilities.
The term vulnerability assessment is sometimes used to
indicate a risk assessment. In this context, a vulnerability
assessment would include the same elements as a risk assessment,
described in Chapter 2, “Personnel Security and Risk Management
Concepts.” This includes identifying the value of assets, identifying
vulnerabilities and threats, and performing a risk analysis to
determine the overall risk.
Chapter 15, “Security Assessment and Testing,” covers penetration
