Assessment of policies & procedures: quantifiable measurements are
best
Testing of security practices
Info exists in physical, electronic, biological forms.
Testing: evaluates quality of the implementation of the procedures
actual systems in operation
locate shortcomings & omissions
static analysis non-intrusive: configuration files, permisions,
versions. Catches known vulnerabilities & admin errors
dynamic analysis active, possibly intrusive. penetration
testing (ethical hacking)
onsite or offsite. Try to get unauthorized access or deny access.
circumvent physical security. social engineering techniques are often
weakest security.