Vulnerability Assessment Methodology
Security Vulnerability Assessments (SVA) is a term now commonly adopted by many organizations to describe what was prior to “9/11” considered Risk Assessments. In fact the recognized leader in the field of Vulnerability Assessment Methodologies, namely Sandia Laboratories (part of the U.S. Energy Department), utilizes the term RAM as their patented heading for Risk Assessment Methodology. Many of Wivenhoe Group’s consultants have undergone RAM training and are certified in that Methodology.
Wivenhoe Group, and its associated consultants have carried-out literally hundreds of Vulnerability Assessments or Risk Assessments over the past 20 to 30 years as an integral part of their approach to security design engineering assignments. The reason being that it is important to know who and what you are going to protect, and also equally important to know from who and what (Threat Level) that you are required to protect against.
Regardless of which methodology is utilized in carrying-out a Vulnerability Assessment (VA), and there are many; all of which Wivenhoe Group consultants are experienced with, the essential elements comprise the following:
- Threat Assessment:
- This aspect of a VA involves identifying the likely level of threat that will apply to the facility, organization, etc. In other words, is it necessary to protect from such adversaries as State Sponsored Terrorists, or is the threat level more criminal in nature. Three types of Threat Level are generally considered in this section, being Outside Adversaries, Inside Adversaries, and Cyber Adversaries. Wivenhoe Group in association with various law enforcement agencies researched and then summarized the various types of threat levels now used by many security specialists in conducting VA’s.
- Consequences:
- Accurately prioritizing each critical asset by Consequence, allows the consultant team and local facility management to determine which critical assets should be considered most important with respect to available resources and funding. Wivenhoe Group works with each client to ascertain what is important and what is feasible in terms of improving security or providing for effective Mitigation in the case of each critical asset.
- Findings & Recommendations:
- Wivenhoe Group will provide a full written report detailing both Findings and appropriate Recommendations. The first report is a Draft Report to be discussed with the client, and it is important to remember that Wivenhoe Group consults with the client throughout the entire VA exercise to ensure that the client is aware of all findings as they occur.
When the draft report is presented to the client, it is a summary of what is already known to the client at that time, and should not provide any unexpected surprises.
It should be noted that Wivenhoe Group also provides each client with a Recommended Timetable of Implementation that may be over several years as even with unlimited funding, it is not practical to implement All recommendations overnight.
In the Final Report, Wivenhoe Group will conduct a PowerPoint presentation to all involved client parties explaining All Findings and All Recommendations and with then be available to answer any and all questions.
We have found that our experience and expertise in security engineering design and implementation covering a multitude of industries and environments has allowed Wivenhoe Group to successfully provide Vulnerability Assessments that are sound, responsible, effective and cost-effective.
The Vulnerability Assessment for each client will detail those Findings and Recommendations that are appropriate for that particular client’s situation. They will be no less and no more than is required to provide the level of security to protect that particular facility or group of facilities.