Companies should perform vulnerability and penetration testing assessments on a regular basis. This best practice is valuable for IT security professionals to perform on a quarterly basis to assess security defense weaknesses. There is also a signficant educational value, as security team members will increase their knowledge and better protect the company's informational assets.
The vulnerability assessment is the analysis of the entire network and human control systems, in looking for any design weaknesses in the security architecture. Penetration testing involves using network scanning tools to locate hidden weaknesses in the technical safeguards protecting the company.
Many basic security concerns can be checked with commercial and even freely available scanning tools. Annually, a more comprehensive test can be performed by an external consulting firm specializing in this process. Companies that are not evaluating or testing their controls could encounter unexpected weaknesses in controls (e.g., test server settings, admins not completely locking down servers, etc)
Doing an audit/pentest or other assessment?
http://isc.sans.org/diary.html?storyid=3989
QUOTE: Audit, Security Assessments, Penetration testing and its little sister vulnerability scanning are useful tools to get an idea of the weaknesses in your network. It is important enough for standards such as PCI-DSS, ISO/IEC 27001, SOX and others to insist on it and many governments around the world insist on it for their agencies.
What is Network Penetration Testing?
http://en.wikipedia.org/wiki/Penetration_test
Network Penetration Testing - Best Practices
http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1233892,00.html
http://articles.techrepublic.com.com/5100-1009_11-5755555.html
http://www.securityfocus.com/infocus/1736
http://www.cuinfosecurity.com/html/webinar-penetration-testing.html