ABSTRACT
Your company has made a commitment to security. It’s good for your business, your customers, your
staff, your data, and your systems. Senior management is fully on board; you have a budget and are
encouraged to spend it. You have spent long days (and some nights) ensuring that your documentation is
completed, your patches and configurations are up to date, and you have staff in sufficient number, with
sufficient skill sets, to assist you in the effort. Ah, life is good. But, wait (there is always a catch)! Senior
management and the Board want you to answer a question (your heart is pounding.): “How confident
are you that our security needs have been met? Or, more simply put, how sure are you that everything
you’ve done makes us secure? Can we have some assurance?” Gulp.