The permanent assessment of the security status of Information and Communication Technologies (ICT) systems is a critical activity in any organization. Therefore, it is necessary to deal with security deficiencies, which are not only technical (bugs, erroneous configurations, unexpected active services, backdoors, etc.), but can be human (lack of awareness, inexperience, inadequate training, etc.), procedural (lack of documentation, incorrect actions or out of defined procedure, absence of verifications, etc.) or legislative or normative (deviation from the requirements defined as mandatory).
The evolution of the exposure surface, in view of these deficiencies, makes it necessary to carry out regular audits to verify compliance with the requirements established by the System's security policy.