ABSTRACT
Today, the evaluation of information and communication technology (ICT) systems security in accordance with business requirements is a vital component of any organization’s business strategy. e problem is that while many organizations understand what security controls are, few understand the importance of ensuring their eectiveness through verication and validation techniques. Likewise, even fewer organizations understand the process associated with testing the eectiveness of security controls, much less able to integrate such a process into their underlying risk management strategy. As a result, in many cases, the entire process gets performed haphazardly or skipped entirely, causing an increase in the potential of security attack. “Testing and assurance is a critical step in creating a secure ICT product and it should be obvious that it has to be
done. e challenge is that the realities of timing and unanticipated problems seldom permit the testing process to move ahead on a rational schedule. Instead, components come up to testing as they are completed and those things are often completed based on the ‘hardest to execute last’ principle. So in many cases the most critical and complex items in a system are either not tested because of pressures to release the product, or not tested in a serious fashion. e conditions of this inevitable trap are best avoided if the producer wants to create a trustworthy product” (Shoemaker and Sigler, 2015).
