U.S. Department of Health and Human Services
Types of testing that an IT Administrator may conduct to test security controls periodically between security authorization cycles are vulnerability scanning and penetration testing.
Vulnerability scanning is an automated process to identify vulnerabilities of computing systems in a network to determine if and where a system can be exploited and/or threatened. It seeks out security flaws based on a database of known flaws, tests systems for the occurrence of these flaws, and generates a report of the findings.
Penetration testing is testing in which an evaluator attempts to circumvent the security features of a system based on their understanding of the system design and implementation. The purpose is to identify methods of gaining access to a system by using common tools and techniques used by attackers.
Page 12 of 12
Operations and Maintenance Phase