But I had a wicked-strong indicator. Later we confirmed it, but the indicator itself was strong enough for me to base certain statements and actions.
This stuff is not rocket science. By asking high-level, disqualifying questions, one can easily make some broad assessments. Then it's simply a matter of drilling down into the indicated areas, and finding the problems.
Kennedy offers a few more questions, like, "Are you testing for security threats and doing things like external/internal penetration tests and social-engineering efforts to test your controls and your incident response?" and, "Have you ever done a source code analysis or dynamic testing of applications to determine what risks they pose?"
A number of us are working together to make a list of the top ten questions that can be asked in any organization. We feel that this is a great way to share knowledge and experience with the community. Like that idea? Drop me a line, using the contact form at nickselby.com.
Sign up for CIO Asia eNewsletters.