How could Administrative, Technical, and Physical Controls introduce a false sense of security?
What are the consequences of not having verification practices?
What can a firm do to bolster confidence in their Defense-in-Depth strategy?
How do these activities relate to "Best Practices"? How can these activities be used to demonstrate regulatory compliance?