of the configuration (technical), but also a review of the change
            control process for managing the configuration. Through such a
            vulnerability assessment, management can gain a solid report on
            the strength and effectiveness of the risk management program.
            Many open-source and commercial tools can be used to perform
            a vulnerability assessment.  Several websites list known
            vulnerabilities with typical applications, operating systems, and
            utilities.

            The problem with a vulnerability assessment can be the number
            of false positives or "noise" that it generates. This can make it
            difficult to determine the actual severity of the problems.
            Therefore, the next step is to conduct a penetration test.

            A penetration test is a targeted attempt to "break into" a system
            or application (or in a physical check to break into a building).
            The penetration tester, using the results of a vulnerability
            assessment, will select a potential vulnerability and try to exploit
            that vulnerability. If the penetration tester can break-in, then the
            weakness is real and must be mitigated. If the examiner is
            unable to break in, then there is a good chance that the
            vulnerability is not severe and does not require mitigation.

            A penetration tester often uses the same tools used by hackers to
            try to break into systems. This means that the results are quite
            real and do provide meaningful results. However, this also poses
            a risk to the organization since these tools can be hazardous to
            use and may result in system failure or compromise. Therefore it
            is of utmost importance that such tests are only conducted with
            management approval and through the use of a defined
            methodology and oversight.