Re: Vulnerability vs. Risk Assessments

["St Clair, Jim" <Jim.StClair () GT COM>]

Hi Chris,

Yes they are often used interchangeably, causing confusion. If you think of the risk formula (threat X impact X 
likelihood = risk) then a vulnerability assessment focuses on more technical issues (either a port is closed or not) 
while a risk assessment should be more specific to a business/ process (this open port creates high risk in web 
services supporting health records).

Both are useful, and should be conducted periodically. It's only unfortunate when a service provider calls it the 
latter but can only deliver the former.

James A. St.Clair, CISM, PMP
Senior Manager
Global Public Sector
Grant Thornton LLP
T  703-637-3078
F  703-637-4455
C  703-727-6332
E  jim.stclair () gt com



The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest 
quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of 
Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton 
International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct 
legal entity.
In the U.S., visit Grant Thornton LLP at http://www.grantthornton.com/.
-----Original Message-----

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris 
Kidd
Sent: Wednesday, November 04, 2009 9:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Vulnerability vs. Risk Assessments

I'm having a hard time articulating the difference between these two types of assessments, so I'm hoping someone can 
clearly define them. Any thoughts are appreciated.

Thanks,
Chris

Chris Kidd
Chief Information Security and Privacy Officer
The University of Utah
650 Komas Drive, Suite 102
Salt Lake City, UT 84108
Office: 801.587.9241
Cell: 801.747.9028
chris.kidd () utah edu

http://www.secureit.utah.edu



In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any 
written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton 
LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under 
the Internal Revenue Code.
--------------------------------------------------------------------------
This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or 
privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities 
other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender 
immediately and delete the material from any computer.