102 Vulnerability Assessment Success Criteria

What is involved in Vulnerability Assessment

Find out what the related areas are that Vulnerability Assessment connects with, associates with, correlates with or affects, and which require thought, deliberation, analysis, review and discussion. This unique checklist stands out in a sense that it is not per-se designed to give answers, but to engage the reader and lay out a Vulnerability Assessment thinking-frame.

How far is your company on its Vulnerability Assessment journey?

Take this short survey to gauge your organization’s progress toward Vulnerability Assessment leadership. Learn your strongest and weakest areas, and what you can do now to create a strategy that delivers results.

To address the criteria in this checklist for your organization, extensive selected resources are provided for sources of further research and information.

Start the Checklist

Below you will find a quick checklist designed to help you think about which Vulnerability Assessment related domains to cover and 102 essential critical questions to check off in that domain.

The following domains are covered:

Vulnerability Assessment, Communication, Disaster management, Energy supply, Information technology, Risk analysis, Risk assessment, Transportation, Vulnerability, Vulnerability index, Vulnerability scanner, Water supply:

Vulnerability Assessment Critical Criteria:

Be clear about Vulnerability Assessment projects and get going.

– Does Vulnerability Assessment include applications and information with regulatory compliance significance (or other contractual conditions that must be formally complied with) in a new or unique manner for which no approved security requirements, templates or design models exist?

– Does your organization perform vulnerability assessment activities as part of the acquisition cycle for products in each of the following areas: Cybersecurity, SCADA, smart grid, internet connectivity, and website hosting?

– What are the key elements of your Vulnerability Assessment performance improvement system, including your evaluation, organizational learning, and innovation processes?

– At what point will vulnerability assessments be performed once Vulnerability Assessment is put into production (e.g., ongoing Risk Management after implementation)?

– At what point will vulnerability assessments be performed once the system is put into production (e.g., ongoing risk management after implementation)?

– Has your organization conducted a cyber risk or vulnerability assessment of its information systems, control systems, and other networked systems?

– Do you have an internal or external company performing your vulnerability assessment?

– Do we all define Vulnerability Assessment in the same way?

Communication Critical Criteria:

Accommodate Communication planning and adjust implementation of Communication.

– It is difficult to know if youve got the right spending level. however, the agency should provide a range of budgets for the products they advertise. how much does the top advertiser spend?

– Generating increased purchases or use is also a typical category for consumer promotion objectives in sustaining programs. when do you want to do this?

– There are a variety of product related problems that can turn into crises. what if product tampering occurs and consumers buying products are harmed?

– Does the organization have an infrastructure in place in order to provide timely, honest communication with employees?

– Do you have a consumer communication plan or a way of dealing with customer perceptions and expectations?

– Are the integrity and availability and information processing and communication services maintained?

– Have extra media been scheduled during particularly strong sales periods during the year?

– Does the plan deliver on the most important goals set forth in the media objectives?

– Is the promotion consistent with the product positioning and other marketing plans?

– It supports conviction and purchase by asking so, are you ready to connect?

– What do you hope to achieve as a result of your communications activities?

– Which of the market segments will be the target market for this campaign?

– How does interactive marketing fit with existing marketing campaigns?

– Is it broadening the reach of your message to new audiences?

– What forms of communication or reporting are appropriate?

– What is the nature of our middlemen or the trade?

– What is your type of distribution outlet/system?

– What made your communication work?

– Mission – what is the objective?

Disaster management Critical Criteria:

Reorganize Disaster management outcomes and devise Disaster management key steps.

– How do senior leaders actions reflect a commitment to the organizations Vulnerability Assessment values?

– When a Vulnerability Assessment manager recognizes a problem, what options are available?

– How will you measure your Vulnerability Assessment effectiveness?

Energy supply Critical Criteria:

Examine Energy supply governance and correct better engagement with Energy supply results.

– What are the disruptive Vulnerability Assessment technologies that enable our organization to radically change our business processes?

– Will new equipment/products be required to facilitate Vulnerability Assessment delivery for example is new software needed?

– What will drive Vulnerability Assessment change?

Information technology Critical Criteria:

Face Information technology governance and sort Information technology activities.

– Does your company have defined information technology risk performance metrics that are monitored and reported to management on a regular basis?

– Do the response plans address damage assessment, site restoration, payroll, Human Resources, information technology, and administrative support?

– If a survey was done with asking organizations; Is there a line between your information technology department and your information security department?

– How do we ensure that implementations of Vulnerability Assessment products are done in a way that ensures safety?

– How do we measure improved Vulnerability Assessment service perception, and satisfaction?

– How does new information technology come to be applied and diffused among firms?

– The difference between data/information and information technology (it)?

– What are the short and long-term Vulnerability Assessment goals?

– When do you ask for help from Information Technology (IT)?

Risk analysis Critical Criteria:

Scan Risk analysis outcomes and frame using storytelling to create more compelling Risk analysis projects.

– How do risk analysis and Risk Management inform your organizations decisionmaking processes for long-range system planning, major project description and cost estimation, priority programming, and project development?

– what is the best design framework for Vulnerability Assessment organization now that, in a post industrial-age if the top-down, command and control model is no longer relevant?

– What levels of assurance are needed and how can the risk analysis benefit setting standards and policy functions?

– In which two Service Management processes would you be most likely to use a risk analysis and management method?

– How does the business impact analysis use data from Risk Management and risk analysis?

– Can we do Vulnerability Assessment without complex (expensive) analysis?

– How do we do risk analysis of rare, cascading, catastrophic events?

– With risk analysis do we answer the question how big is the risk?

– Are there Vulnerability Assessment Models?

Risk assessment Critical Criteria:

Guard Risk assessment issues and spearhead techniques for implementing Risk assessment.

– Which customers cant participate in our Vulnerability Assessment domain because they lack skills, wealth, or convenient access to existing solutions?

– Are interdependent service providers (for example, fuel suppliers, telecommunications providers, meter data processors) included in risk assessments?

– Does the risk assessment approach helps to develop the criteria for accepting risks and identify the acceptable level risk?

– Are standards for risk assessment methodology established, so risk information can be compared across entities?

– With Risk Assessments do we measure if Is there an impact to technical performance and to what level?

– How frequently, if at all, do we conduct a business impact analysis (bia) and risk assessment (ra)?

– Does the process include a BIA, risk assessments, Risk Management, and risk monitoring and testing?

– What operating practices represent major roadblocks to success or require careful risk assessment?

– What knowledge, skills and characteristics mark a good Vulnerability Assessment project manager?

– Is the priority of the preventive action determined based on the results of the risk assessment?

– How does your company report on its information and technology risk assessment?

– How often are information and technology risk assessments performed?

– How are risk assessment and audit results communicated to executives?

– Do you use any homegrown IT system for ERM or risk assessments?

– Are regular risk assessments executed across all entities?

– Who performs your companys IT risk assessments?

– Do you use any homegrown IT system for risk assessments?

– Are risk assessments at planned intervals reviewed?

Transportation Critical Criteria:

Pilot Transportation failures and ask questions.

– Are adequate facilities used for transportation, storage and calibration of all tools, gauges and test equipment?

– Meeting the challenge: are missed Vulnerability Assessment opportunities costing us money?

– Do we understand the mechanisms and patterns that underlie transportation in our jurisdiction?

– Do we understand public perception of transportation service delivery at any given time?

– Does your long-range transportation plan address access management?

– Who sets the Vulnerability Assessment standards?

Vulnerability Critical Criteria:

Check Vulnerability results and use obstacles to break out of ruts.

– Is it prohibited to store the full contents of any track from the magnetic stripe (on the back of the card, in a chip, etc.) in the database, log files, or point-of-sale products?

– Are information security policies, including policies for access control, application and system development, operational, network and physical security, formally documented?

– If wireless technology is used, do you restrict access to wireless access points, wireless gateways, and wireless handheld devices?

– Are there any requirements to provide remediation recommendations that correlate back to any specific regulatory requirements?

– Are controls implemented on the server side to prevent sql injection and other bypassing of client side-input controls?

– Do operating procedures require systems to undergo a security/vulnerability scan before being placed into production?

– Under what assumptions do we use to provide the number of hours that will be used for the security policy reviews?

– Are vendor default security settings changed on production systems before taking the system into production?

– Is a firewall used to protect the network and limit traffic to that which is required to conduct business?

– Is all cardholder data printed on paper or received by fax protected against unauthorized access?

– Is there an incident response team ready to be deployed in case of a cardholder data compromise?

– Are all but the last four digits of the account number masked when displaying cardholder data?

– Are all users required to authenticate using, at a minimum, a unique username and password?

– Are group, shared, or generic accounts and passwords prohibited for non-consumer users?

– Consequences of Compromise What are the consequences of compromise?

Vulnerability index Critical Criteria:

Tête-à-tête about Vulnerability index risks and don’t overlook the obvious.

– Are there any disadvantages to implementing Vulnerability Assessment? There might be some that are less obvious?

– Is Vulnerability Assessment Realistic, or are you setting yourself up for failure?

– How do we Identify specific Vulnerability Assessment investment and emerging trends?

Vulnerability scanner Critical Criteria:

Think carefully about Vulnerability scanner risks and finalize specific methods for Vulnerability scanner acceptance.

– Risk factors: what are the characteristics of Vulnerability Assessment that make it risky?

– For host vulnerability scanners, do we require agents to be installed on each host?

– Is Supporting Vulnerability Assessment documentation required?

– How can you measure Vulnerability Assessment in a systematic way?

Water supply Critical Criteria:

Think carefully about Water supply tasks and probe Water supply strategic alliances.

– For your Vulnerability Assessment project, identify and describe the business environment. is there more than one layer to the business environment?

– What are the Essentials of Internal Vulnerability Assessment Management?

– What are internal and external Vulnerability Assessment relations?


This quick readiness checklist is a selected resource to help you move forward. Learn more about how to achieve comprehensive insights with the Vulnerability Assessment Self Assessment:


Author: Gerard Blokdijk

CEO at The Art of Service | http://theartofservice.com



Gerard is the CEO at The Art of Service. He has been providing information technology insights, talks, tools and products to organizations in a wide range of industries for over 25 years. Gerard is a widely recognized and respected information expert. Gerard founded The Art of Service consulting business in 2000. Gerard has authored numerous published books to date.

External links:

To address the criteria in this checklist, these selected resources are provided for sources of further research and information:

Vulnerability Assessment External links:

15 Vulnerability Assessment Flashcards | Quizlet

Vulnerability Assessment page – dot.ca.gov

[PDF]Unit IV – Vulnerability Assessment

Communication External links:

Stripe Internal Communication Channel

Disaster management External links:

Disaster Management and Emergency Preparedness

Disaster Management – Clackamas County

Energy supply External links:

Mace Energy Supply-Smithsburg, Maryland

CMP | Energy Supply

American Energy Supply – Construction Site Oil Tanks

Information technology External links:

OHIO: Office of Information Technology |About Email

Information Technology Services – UTMail

Rebelmail | UNLV Office of Information Technology (OIT)

Risk analysis External links:

[PDF]Military Police Risk Analysis for Army Property

Project Management and Risk Analysis Software | Safran

What is risk analysis? – Definition from WhatIs.com

Risk assessment External links:

Risk Assessment Tools | OpioidRisk

Regional Screening Levels (RSLs) | Risk Assessment | US EPA


Transportation External links:

MBTA – Massachusetts Bay Transportation Authority

U.S. Department of Transportation – Official Site

Transportation Security Administration

Vulnerability External links:

Vulnerability | Define Vulnerability at Dictionary.com

Meltdown and Spectre Side-Channel Vulnerability …

GRC | ShieldsUP! — Internet Vulnerability Profiling

Vulnerability index External links:

ATSDR – The Social Vulnerability Index (SVI) – Home Page

Social Vulnerability Index 2010 (Census Tracts)

Vulnerability scanner External links:

Mirai Vulnerability scanner | Incapsula

Nessus Professional™ Vulnerability Scanner – tenable.com

Application Vulnerability Scanner

Water supply External links:

Straight Stop and Angle Stop Water Supply Valves

Online Account Access for Aqua Water Supply Corporation

Home – North Alamo Water Supply Company