I have conducted more security program assessments than I can remember over the past 15 years. Quite some time ago I conducted some of the first certification and accreditation efforts ever at the CIA. Those were interesting times. We had very little to go on and we tried to assess security controls to the few regulations and controls that existed at that time. By the time I left the federal space and started working almost exclusively in the commercial sector a number of security best practice standards had sprung up. Most recently, in the past 10 years or so, a slew of legislation pertaining to data security and privacy has given us more requirements with which to adhere.