Chapter 5 - Vulnerability assessments

Abstract

Vulnerabilities are weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. Vulnerabilities include structural, procedural, electronic, human, and other elements that provide opportunities to attack assets. They can be categorized as physical, technical, or operational. A vulnerability assessment is a systematic approach used to assess a facility's security posture and analyze the effectiveness of the existing security program at the facility. The fundamental method for assessing vulnerabilities is the security survey, which is a tool for collecting information about the facility. The goal of a vulnerability assessment is to identify and block opportunities for attacks against assets. By effectively blocking opportunities, security decision makers can mitigate threats and reduce risk. The basic process of a vulnerability assessment first determines what assets are in need of protection by the facility's security program, and then identifies the protection measures already in place to secure those assets and what gaps in protection exist. Finally, the assessment measures the security program's effectiveness against valid security metrics and provides recommendations to security decision makers for improvements. In essence, the vulnerability assessment assists security decision makers in determining the need for additional security measures, security equipment upgrades, changes in policies and procedures, and manpower needs.