Re: Vulnerability vs. Risk Assessments

[Mike Waller <mwaller.distro () GMAIL COM>]

The below is a pretty good explanation. From my experience, a vulnerability
assessment is a look at a system/site/application/firewall/whatever with an
eye towards all of the vulnerable points. Once you identify the
vulnerabilities, you would then move to a risk assessment by determining
what the threat, potential impact and likelihoods are.

On Wed, Nov 4, 2009 at 9:13 PM, St Clair, Jim <Jim.StClair () gt com> wrote:

> Hi Chris,
>
> Yes they are often used interchangeably, causing confusion. If you think of
> the risk formula (threat X impact X likelihood = risk) then a vulnerability
> assessment focuses on more technical issues (either a port is closed or not)
> while a risk assessment should be more specific to a business/ process (this
> open port creates high risk in web services supporting health records).
>
> Both are useful, and should be conducted periodically. It's only
> unfortunate when a service provider calls it the latter but can only deliver
> the former.
>
> James A. St.Clair, CISM, PMP
> Senior Manager
> Global Public Sector
> Grant Thornton LLP
> T  703-637-3078
> F  703-637-4455
> C  703-727-6332
> E  jim.stclair () gt com
>
>
>
> The people in the independent firms of Grant Thornton International Ltd
> provide personalized attention and the highest quality service to public and
> private clients in more than 100 countries. Grant Thornton LLP is the U.S.
> member firm of Grant Thornton International Ltd, one of the six global
> audit, tax and advisory organizations. Grant Thornton International Ltd and
> its member firms are not a worldwide partnership, as each member firm is a
> separate and distinct legal entity.
> In the U.S., visit Grant Thornton LLP at http://www.grantthornton.com/.
> -----Original Message-----
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Kidd
> Sent: Wednesday, November 04, 2009 9:03 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Vulnerability vs. Risk Assessments
>
> I'm having a hard time articulating the difference between these two types
> of assessments, so I'm hoping someone can clearly define them. Any thoughts
> are appreciated.
>
> Thanks,
> Chris
>
> Chris Kidd
> Chief Information Security and Privacy Officer
> The University of Utah
> 650 Komas Drive, Suite 102
> Salt Lake City, UT 84108
> Office: 801.587.9241
> Cell: 801.747.9028
> chris.kidd () utah edu
>
> http://www.secureit.utah.edu
>
>
>
> In accordance with applicable professional regulations, please understand
> that, unless expressly stated otherwise, any written advice contained in,
> forwarded with, or attached to this e-mail is not intended or written by
> Grant Thornton LLP to be used, and cannot be used, by any person for the
> purpose of avoiding any penalties that may be imposed under the Internal
> Revenue Code.
> --------------------------------------------------------------------------
> This e-mail is intended solely for the person or entity to which it is
> addressed and may contain confidential and/or privileged information. Any
> review, dissemination, copying, printing or other use of this e-mail by
> persons or entities other than the addressee is prohibited. If you have
> received this e-mail in error, please contact the sender immediately and
> delete the material from any computer.