It refers to the systematic evaluation of systems and infrastructure powered by information technology to measure how secure the physical configuration, software, information handling processes, user practices and environmental conditions are according to established criteria.
These, conducted together with vulnerability assessments (that seeks out weaknesses) and penetration testing (that conducts trial attacks), help establish the security credentials of a system.
Once a list of relevant assets (computers, peripherals, security devices, servers etc.) is made, a list of threats must be made for each asset. Threats must then be classified by type (passwords, access conditions, backups, dependencies, physical integrity) and by severity (low to high) to arrive at an understanding of risk, which is the product of the intensity of a possible harm multiplied by its probability. The system’s own history must be assessed, looking out for patterns. Benchmarking with the competition may also prove useful. Corrective measures must then be undertaken.