Under 23 NYCRR 500 many companies are obligated to conduct “vulnerability assessments” bi-annually (note: this means twice per year, not once every two years!).
Vulnerability assessments are aptly named because, well, they are assessments intended to identify cybersecurity vulnerabilities. But cybersecurity jargon is often tossed around and left undefined.
In the world of information security, a vulnerability is any kind of weakness or gap that could be potentially exploited by a threat. For example, leaving your front door unlocked is a vulnerability because a burglar (i.e., the threat) could take advantage of this weakness in your home security.
In practice, a vulnerability assessment is the process of identifying these types of gaps in the context of your information systems. For instance, are there places where systems are “unlocked” and Nonpublic Information could be accessed by an outsider?
There are tools available to help companies cost-effectively conduct their own vulnerability scans, but many should rely on internal expertise or the aid of third parties.
As with many of the more technical requirements of 23 NYCRR 500, smaller companies are often exempt. Check the requirements, and your exemptions, closely before assuming this must be done at your company.