SFIA Skills: Vulnerability assessment (VUAS)

Assesses the potential vulnerabilities identified against established vulnerability databases.

Conducts automated and manual vulnerability assessments and business impact analyses. Creates test cases using in-depth technical analysis of risks and typical vulnerabilities. Assesses effectiveness of security controls for infrastructure and application components, and recommends remedial action.

Contributes to the selection and deployment of vulnerability assessment tools and techniques.

Delivers risk treatment plans using one or more recognised control sets.

Produces a risk assessment table to determine the likelihood and impact to an information or technology asset if a vulnerability is exposed to a threat source, assigning a likelihood and impact to determine risk level. Documents the business impact of a vulnerability being breached.

Allocates an impact level to critical information and technology assets should their confidentiality, integrity or availability be breached. Collates and analyses catalogues of information and technology assets for vulnerability assessment.

Promotes security awareness and communicates information on security risks and potential business impact to senior business managers and others.

Documents a full vulnerability assessment and business impact analysis conducted on medium complexity information systems.

Takes a comprehensive approach to seeking vulnerabilities across the full spectrum of organisation policies, processes, and defences in order to improve organisational readiness, improve training for defensive practitioners, and inspect current performance levels.

Plans and manages automated and manual vulnerability assessment activities within the organisation. Assesses effectiveness of security controls for infrastructure and application components and recommends remedial action.

Reviews, evaluates, and selects vulnerability tools and techniques.

Identifies control owners and holds them accountable for the implementation of policies to reduce the risk of controls allocated to them using a recognised methodology.

Uses complex quantitative risk analysis methods such as exposure factor, single loss expectancy, annualised rate of occurrence or annualised loss expectancy, to conduct security risk assessments, business impact analysis and accreditation on complex information systems.

Determines a quantifiable value to the impairment of an identified critical information or technology asset.

Communicates to the organisation’s leadership information on security risks to critical information and technology assets, and the impact on the business should vulnerabilities be breached.

Documents a full vulnerability assessment and business impact analysis conducted on complex information systems.

Determines the potential vulnerabilities that might breach a critical information asset.

Conducts automated and manual vulnerability assessments under direction. Undertakes moderate-complexity vulnerability assessments using more sophisticated techniques and tools.

Assesses the likelihood of attack on critical information and technology asset vulnerabilities from a threat source. Assesses the business impact and determines a value to the potential loss should a vulnerability be breached.

Assigns asset information security requirements and catalogues identified critical information and technology assets for vulnerability assessment.

Promotes security awareness and communicates information on known security risks and issues to business managers and others.

Documents vulnerability assessments. Evaluates and documents results, escalating and communicating issues where appropriate.

Identifies basic vulnerabilities that might breach a critical information or technology asset.

Undertakes routine vulnerability assessments using automated and semi-automated tools, escalating issues where appropriate. Participates, under supervision, in more complex assessments.

Identifies and documents critical information and technology assets within the organisation, including the asset type and asset location.

Promotes awareness of security risks and issues to colleagues and others.

Documents the scope and results of basic vulnerability assessments, or contributes to the documentation of more complex assessments.