
206 Vulnerability ManageMent
6.7.2 Assess Security Controls
A complete understanding of policies, procedures, and standards will
also paint a clearer picture of the risk environment. Policies may not
reflect the changing needs of the organization or, conversely, opera-
tions may not adhere to policy or standards. In the risk assessment
process, it is necessary to quantify the value of the security controls
employed between potential threats and a target as shown in Table 6.1.
e threats come from two sources: internal and external. So, there
are two security posture values to calculate: security posture-external
threats (SPe) and security post ...