Answer: Security tests are conducted by performing Vulnerability and Risk Assessments. These assessments have been and will continue to be performed on a periodic basis.
Vulnerability is a security exposure in an operating system, software or application. Vulnerability Assessments scan IT infrastructure and evaluate administrative policies, processes and procedures to ascertain existence of vulnerabilities in the current environment identifying system and/or administrative weaknesses. Vulnerability testing could be a manual audit of a vendor-supplied system or an automated scanning tool. A penetration test is one form of a vulnerability assessment.
Risk is the potential that a vulnerability can be exploited and the resulting impact of that exploitation. Risks Assessments evaluate each vulnerability found during a Vulnerability Assessment and determine the potential for exploitation and its impact.