Vulnerability assessment
Definition
A systematic process of identifying, classifying, and prioritising security weaknesses in systems, software, and infrastructure. Produces a list of findings with severity ratings but does not typically involve active exploitation.
Related terms
- Approved Scanning Vendor (ASV)
- An organisation qualified by the PCI Security Standards Council to conduct external vulnerability scans of cardholder data environments. PCI-DSS requirement 11.3.2 mandates...
- Audit evidence
- Any information the auditor uses to draw conclusions about a control. To be acceptable, audit evidence must be sufficient (enough of it),...
- CVSS (Common Vulnerability Scoring System)
- An open standard maintained by FIRST (Forum of Incident Response and Security Teams) that assigns a numeric score from 0 to 10...
- Remediation prioritisation
- The process of ordering vulnerability remediation by risk. Factors include CVSS base score, asset criticality, threat intelligence about active exploitation, and compensating...
- Risk acceptance
- A formal decision by an authorised senior manager to tolerate a finding without full remediation, typically because the cost of remediation exceeds...
Explained in
- Vulnerability Assessment as Audit EvidenceA systematic process of identifying, classifying, and prioritising security weaknesses in systems, software, and infrastructure. Produces a list of findings wi...