An important step in conducting a security risk assessment is gathering the important files, statistics, reports, policies, and other information needed to properly evaluate a security program and operations. There are many resources available to a security practitioner regarding best practices and industry standards, and we have listed many of them in this chapter. These information sources will give you the foundation material of an existing security program and will be used to measure the program’s effectiveness. We will walk you through the process and identify numerous possible sources of information, both within your organization and from outside entities and third parties and give you examples of how ...