Vulnerability scans

 Credentialed vs. non-credentialed

 Agent-based/server-based

 Criticality ranking

 Active vs. passive

Security Content Automation Protocol (SCAP)

 Extensible Configuration Checklist Description Format (XCCDF)

 Open Vulnerability and Assessment Language (OVAL)

 Common Platform Enumeration (CPE)

 Common Vulnerabilities and Exposures (CVE)

 Common Vulnerability Scoring System (CVSS)

 Common Configuration Enumeration (CCE)

 Asset Reporting Format (ARF)

Self-assessment vs. third-party vendor assessment

Patch management

Information sources

 Advisories

 Bulletins

 Vendor websites

 Information Sharing and Analysis Centers (ISACs)

 News reports