Assessment of policies & procedures: quantifiable measurements are
Testing of security practices
Info exists in physical, electronic, biological forms.
Testing: evaluates quality of the implementation of the procedures
actual systems in operation
locate shortcomings & omissions
static analysis non-intrusive: configuration files, permisions, versions. Catches known vulnerabilities & admin errors
dynamic analysis active, possibly intrusive. penetration testing (ethical hacking)
onsite or offsite. Try to get unauthorized access or deny access. circumvent physical security. social engineering techniques are often weakest security.