Identifying Critical Vulnerabilities
In order to evaluate any information security vulnerability, assessment methodology begins by identifying the risk. You start by reviewing key information and classification levels to see what weaknesses exist. Begin by creating a topology of the system--that is, look at how the system interacts and interconnects. You can use network diagrams, accounting and finance assessment information, or marketing plans; in other words, look at the business structure to identify its strengths and weaknesses.
At the information or IT level, look at the construction of the network. How are passwords constructed; are they strong or weak? Does the network have a firewall? Does the network have a virus protection program? These conditions are important because the vulnerabilities that come from exposure to the Internet can affect the organization's ability to perform its more fundamental business tasks. Those tasks are in accounting and finance, sales and marketing, or manufacturing and engineering. If the network or computers break down, what business functions can be done without them? If the answer is very little, then these vulnerabilities are critical.
In general, the most critical information security vulnerabilities are those that can shut down the business. They could be network based, hardware based, or software based. However the cause, the result is data loss or performance.
Image Source: Creativity Central