Even if an organization has strong IT and data- security policies and controls, it shouldn’t be satisfied with the adequacy of those defenses if it doesn’t continually verify that they’re sound, uncompromised, and applied consistently. Making those assessments, providing that assurance, and offering recommendations for improvement is where IA comes in.