Chpater 6 Evaluation of Current Status

physical security
personnel policies & practices
business process controls
backup & recovery
network security

Assessment of policies & procedures: quantifiable measurements are best
Testing of security practices

Info exists in physical, electronic, biological forms.

Testing: evaluates quality of the implementation of the procedures
actual systems in operation
locate shortcomings & omissions
static analysis non-intrusive: configuration files, permisions, versions. Catches known vulnerabilities & admin errors
dynamic analysis active, possibly intrusive. penetration testing (ethical hacking)
onsite or offsite. Try to get unauthorized access or deny access. circumvent physical security. social engineering techniques are often weakest security.