IT Essentials — Introduction to IT

            Control Monitoring and Reporting



































            External Vulnerability Assessment and Penetration Test

            Elina: Wendy, would you mind explaining what is the difference between an external vulnerability
            assessment and a penetration test?

            Wendy: Great question, Elina. Vulnerability tests identify the population of weakness, whereas
            penetration tests validate the strength of controls.

            Wendy: External and internal vulnerability scans look to see if any signatures are violated using a
            network scanner. The assessment may also include activities to test employees’ capability of
            spotting phishing emails and assess business processes to ensure they have appropriate
            confidentiality, integrity, and availability controls (CIA Triad). These controls protect confidentiality
            of data and information assets from attack. The controls also protect the integrity of data and
            information assets from unapproved change and validate their completeness and accuracy to better
            assure their availability in a time of need.

            Wendy: Not performing vulnerability scans can impact our cyber insurance policy, as well as create
            regulatory woes.

            Wendy: Having said all of that, we can ask about these vulnerabilities with the question below.








            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.