How do Vulnerability Assessments/Penetration Tests and Patch Management correlate? Can an organization have a strong Risk Assessment plan/program and NOT include both? Why or why not? Do you have any experience with Vulnerability Scanning/Penetration Testing tools, such as Nessus, SAINT, or Metasploit? What have you used them for, and how helpful are they?