Perform vulnerability assessments

URN: TECDT61141
Business Sectors (Suites): IT and Telecoms Professional (procom)
Developed by: e-skills
Approved on: 2022

Overview


This standard is about performing vulnerability assessments.

This involves scanning networks, software applications and systems to detect and identify vulnerabilities and take measures to correct or manage these to strengthen security resilience.

This includes running vulnerability scans to test if the system is susceptible to any known vulnerabilities, assigning severity levels to prioritise vulnerabilities detected, recommending remediation or mitigation as required and reporting findings.

This standard covers the competencies needed to perform vulnerability assessments. It is for those who need to perform vulnerability assessments as part of their duties.


Performance criteria

You must be able to:

  1. Plan regular network and host-based vulnerability scans to identify vulnerabilities in networks, servers and hosts
  2. Perform routine analysis of system log files and reports from firewalls and other boundary protection devices to identify anomalies and new vulnerabilities
  3. Review and optimise scan templates to ensure complete coverage of the information systems environment
  4. Conduct vulnerability assessments for networks, applications and operating systems
  5. Develop, implement and maintain automated vulnerability scanning tools improve efficiency and effectiveness of vulnerability analysis
  6. Triage identified vulnerabilities to prioritise remediation activities
  7. Create a vulnerability mitigation plan to manage identified vulnerabilities
  8. Implement updated patches in line with the patch management plan

  9. Manage identified vulnerabilities throughout their life cycle until they are mitigated

  10. Prepare and communicate vulnerability assessment status reports and metrics in line with organisational procedures

Knowledge and Understanding

You need to know and understand:

  1. The main principles of vulnerability assessment
  2. The need to agree the scope of vulnerability assessments prior to commencement
  3. The steps involved in performing vulnerability assessments
  4. The industry standard techniques used to locate and identify vulnerabilities
  5. How to triage identified vulnerabilities to manage remediation priorities 

  6. That a vulnerability assessment consists of scanning networks, operating systems and applications to identify and assess potential vulnerabilities

  7. The specified organisational vulnerability assessment tools and how to apply them
  8. How to automate vulnerability scanning to increase efficiency
  9. How to develop mitigation strategies for network, operating systems and application vulnerabilities
  10. That all major software releases should undergo a vulnerability assessment
  11. How to investigate persistent vulnerabilities
  12. That vulnerability assessment informs patch management activities

  13. How to investigate common configuration weaknesses and deployment flaws

  14. How to prepare vulnerability reports and communicate outcomes of vulnerability assessments to stakeholder groups
  15. How to manage and track vulnerabilities and mitigations throughout their lifecycle to closure

Scope/range


Scope Performance


Scope Knowledge


Values


Behaviours


Skills


Glossary


Links To Other NOS


External Links


Version Number

1

Indicative Review Date

2025

Validity

Current

Status

Original

Originating Organisation

ODAG Consultants Ltd.

Original URN

TECDT61141

Relevant Occupations

Information and Communication Technology Professionals

SOC Code

2135

Keywords

cyber security, vulnerability