ProCess 201
One must ultimately ask the question: if IAVA is so great, then
why do we continuously hear about the compromise of government
systems using common exploits? is is not intended to condemn the
process itself but perhaps the implementation. A key item that is lack-
ing is the incorporation of policy compliance into the IAVA process.
It is no more difficult to check for technical policy and standards com-
pliance with an automated tool than it is to check for vulnerabilities.
is ultimately leads us back to a discussion of standards because so
many disparate VM systems may not apply the same methods or lan-
guage for the checks they perform. is makes centralized, positive
control much less effective and more vulnerable to manipula