This NIST Special Publication is a guide to the basic technical aspects of conducting information security assessments.
This NIST Special Publication provides guidance for conducting risk assessments.
NIST resource that defines prerequisite for effective risk assessments.
The North Carolina Risk Assessment (RA) Policy is a comprehensive treatment of a security risk assessment that includes defining risk categories, risk sources, risk measurement criteria, scheduling RAs and establishes the role of vulnerability scanning in RAs.
Open Web Application Security Project (OWASP) provides a list of commercial and free vulnerability scanning tools for various platforms.
This SANS provided policy discusses performing periodic information security risk assessments.
This SANS whitepaper examines the role of project management in building a successful vulnerability management program.
This SANS whitepaper looks at how a vulnerability management process could be designed and implemented within an organization.
This SANS whitepaper discusses the benefits and pitfalls of Vulnerability Scanning suggests an approach suitable for small and medium-sized businesses.
The following is an example from the state of Alabama of a vulnerability scanning policy.