ABSTRACT
For small organizations, or where there are a sufficient number of experienced security assessors such that each practitioner can hold in his mind all the relevant patterns and solutions that need to be applied, there may not be a need for standardized patterns. When there are enough people to perform due diligence analysis on every proposed system, these practitioners are the governance process for the organization. The need for standards, a standards process, and governance of that process is generally a factor of size, breadth of portfolio, and, sometimes, the necessity for compliance to regulations imposed from the outside.
