Security assessment is focused on determining the degree to which information system security controls are correctly implemented, whether they are operating as intended and whether they are producing the desired level of security. Vulnerability assessment is focused on determining the weaknesses inherent in the information systems that could be exploited leading to information system breach. Without Security and vulnerability assessments, the potential exist that information systems may not be as secure as intended or desired.