ABSTRACT
Residual risk exposure is determined and its acceptability evaluated.
Ongoing vulnerabilities, threats, and survivability are monitored.
Outputs from several previous components serve as inputs to these activities. The majority of contemporary information security books and standards
do not mention the topic of verification at all*. This is rather surprising; why should a user, customer, or system owner have any confidence that a system which has not been verified is secure? Perhaps there is a correlation between this fact and the continual reporting of information security breaches on the evening news. In contrast, computer safety and reliability books and standards include extensive discussions of verification activities.
