Common Assessments Criteria

摘要

Conducting security assessments of critical service providers is an essential part of an enterprise risk management program. Highlighting exposures external to your organization will assist in appropriate vendor selection, acceptable risk practices, and reduce the likelihood that your data will suffer a breach due to means outside your direct control. I have seen assessments that do little more than check off a box for a thoughtful, but poorly executed security program. I have also seen assessments that are so detailed that in order to satisfy one area of the assessment I would be required to provide documentation that is clearly restricted for distribution and, hence, would result in failure of a different section of the assessment. Somehow, the folks conducting the reviews cannot seem to find the irony in this.