I am curious, and so is my management, where or who decides what makes up the canned standard security check items? Are these suggestions by SW staff, or are these something that come down from other best practices? If so what?
For example other than me saying "well DUH telnet access to an external zone is stupid" who decides in the scope of this product that it is indeed stupid a high risk?
-b