| QUESTION & ANSWER |
Keeping compliance terms straight |
 |
By Editorial staff
17 Jan 2008 | SearchFinancialSecurity.com |
|
|
Keeping the definitions of audit, vulnerability assessment and pen testing straight can be confusing. Expert Kevin Beaver helps sort them out.A lot of people use security audit, vulnerability assessment and penetration test interchangeably. Can you explain the difference so I'll know which terms to use at the right time?
Kevin Beaver: Yes, technically there is a difference. An audit is performed (usually by an outside expert) to compare what you say you're doing in your security policies and plans to what you're actually doing. A vulnerability assessment is a test(s) looking at specific weaknesses in your information systems infrastructure. This can be a technical or business process focused assessment or both. A vulnerability assessment is often part of a larger information risk assessment. Finally, a penetration test is an attempt to breach security measures and see if critical information can be obtained. This test can also include less technical tests such as social engineering and physical security exploits. There's usually a well-defined end goal such as obtaining passwords or access to a database or even a building.
|
|
|
|
