Risk managers plan to compare existing security controls to a set of best practice controls described in a technical hardening standard. Which technique would be most helpful to the risk managers in this scenario?