Chapter # 14 IT RISK MANAGEMENT AND SECURITY

1. Understanding risk
2. Key components of IT risk management
3. Types of IT risks & mitigation strategies
4. The role of IT security

1. UNDERSTANDING RISK
Risk means, the chance that something bad might happen, such as loss, damage, or disruption.
Every business experience many risks that can affect money, reputation, and affect business operations.
Today, businesses also rely heavily on IT (Information Technology) for things like dealing with customers,
storing data, and managing supply chains. This creates new types of risks, like data theft, system crashes,
or hacking of data which can stop or drop business, cause financial loss, or reduce customer trust if not
handled properly.

1.1 What is Risk Management?

Risk management means planning to handle risks so they cause the least damage or may prevention.
The main purpose is to keep the business running, protect assets, and stay strong during problems.
It usually follows these steps:
• Risk Identification: Find possible risks by studying business activities, IT systems, and outside
factors.
• Risk Assessment: Check how likely each risk is and how much damage it could cause (to money,
operations, or reputation). Simple check the impact of risks.
• Risk Mitigation: Ways to handle the risk: reduce it, avoid it, transfer it or do it as it is.
• Monitoring and Review → Keep watching for new risks, update strategies, and improve
responses as the business environment changes.
In short: Risk management helps organizations prepare for challenges in advance, so they can respond
quickly and even turn risks into opportunities.

1.2 Introduction to IT Risk Management

Now a days, businesses now run mostly using technology, IT systems have become the backbone of daily
operations even most of the business operations. But this also increases exposure to IT-related risks like
hacking, system failures, and data errors.

IT Risk Management focuses only on IT systems and makes sure they remain safe, reliable, and strong.
Main goals of IT Risk Management:
• Protect IT Infrastructure: Keep hardware, software, and networks safe from breakdowns,
accidents, or hackers.
• Ensure Data Integrity: Make sure business data stays accurate, consistent, and trustworthy.
• Maintain System Availability: Keep systems running without interruption so operations and
services do not stop.
• Mitigate Cybersecurity Threats: Defend against cybercrimes such as viruses, phishing, or new
hacking tricks.
• Support Regulatory Compliance: Follow legal rules and industry standards to avoid penalties
and keep good reputation among industry & customers.
1.3 Strategic Importance of IT Risk Management
IT risk management is no longer just about fixing technical issues, it is a key strategy that shapes business
success and survival.

• Supporting Digital Transformation

When companies use new technologies (cloud, AI, blockchain, big data), risk management makes
sure these tools stay secure so innovation is safe and sustainable.
• Enabling Business Continuity
Even during cyberattacks, natural disasters, or system failures, risk management ensures the
business keeps running smoothly. This builds customer trust and keeps revenue safe.
• Fostering Trust and Compliance
Following IT laws and data protection rules builds trust with customers and partners. Compliance
also avoids legal trouble and boosts the company’s market image.
• Enhancing Agility and Resilience
With proactive risk planning, businesses can adjust quickly to market changes, new technologies,
or sudden disruptions. They recover faster and stay strong.
• Driving Competitive Advantage
Companies with strong IT risk management stand out as reliable and secure. This helps attract
clients and gives them an edge over competitors.

2. KEY COMPONENTS OF IT RISK MANAGEMENT

To effectively manage IT risks, organizations must adopt a structured and methodical approach that
integrates several key components. Each component plays a pivotal role in identifying, evaluating,
mitigating, monitoring, and responding to risks, ensuring that IT systems remain secure and resilient.
Organizations need to follow a clear and step-by-step method to handle IT risks properly. This method
includes several important parts. Each part helps the organization to
• Risk Identification: Find risks
• Risk Assessment: Understand their impact
• Risk Mitigation: Reduce or control them
• Incident Response Planning: Keep an eye on them regularly
• Incident Response Planning: React quickly if something goes wrong
• Scope of IT Risk Management: Areas of Risk

2.1 Risk Identification

The first step towards managing IT risks is to find out what risks exist that could harm the organization’s
IT systems. These risks can come from many places, such as cyberattacks, weak physical security,
mistakes made by people, or problems with outside parties (like vendors or supply chains). Risk
identification is very important because you cannot control or fix a risk if you do not know what is that
risk, what is the reason of that risk & way to occur.

Techniques for Risk Identification

• Risk Workshops:
Different departments (like IT, Finance, and HR) sit together in workshops to share their views.
Each team may notice different risks, so combining their ideas gives a full picture.
• Threat Modeling:
Thinking like an attacker. Teams create scenarios of how someone might break into the system.
By doing this, they can spot weaknesses before hackers find them.
 • Historical Incident Analysis:
Looking at past problems or security issues (either within the organization or in other
companies) helps to recognize patterns. If a certain problem happened before, it might happen
again unless we fix it.
2.2 Risk Assessment
After identifying risks, organizations must check how serious each risk is and how likely it is to happen.
This helps them decide which risks to deal with immediately and which can simply be watched over
time.
To do this, companies often use standard methods (frameworks) like NIST SP 800-30 or ISO 31000, which
provide clear steps for judging how dangerous and how likely different risks are.

Phases of Risk Assessment

1. Risk Analysis
• This step is about looking closely (analysis) at each identified risk.
• The organization tries to understand where the risk comes from, what damage it can
cause, and what weaknesses in the system could allow it to happen.
• It also checks how often such threats might occur and what controls are already in place.
2. Risk Evaluation
• Once the risks are analyzed, they are compared with the company’s rules and limits.
• Example: How much risk can the company accept? What laws must it follow? What are
its main goals of organization.
• This step helps decide whether a risk is acceptable or needs action.
3. Risk Assessment (Decision Phase)
Risk Matrix (TARA/SARA)
Probability Impact Result
LOW HIGH Transfer/Shift

HIGH LOW Reduce/Plan

HIGH HIGH Avoid

LOW LOW Accept

Key Elements of Risk Assessment

• Impact Analysis
• This means checking how much damage a risk could cause.
• It can affect IT systems, money, customer trust, legal rules, or overall business.
• Probability Assessment
• This means checking how likely the risk is to occur.
• It looks at past events, system weaknesses, and outside trends (for example,
ransomware attacks becoming more common).
• Risk Matrix
• This is a simple chart that combines impact (how bad it is) and probability (the Chance).
• Risks that are both high-impact and high-probability are the most dangerous and must
be dealt with immediately.
• Less serious risks (low impact, low probability) can be watched or accepted.
2.3 Risk Mitigation and Response Strategies
After identifying and analyzing risks, an organization must decide how to deal with them. This step is
called risk treatment. The choice depends on how likely the risk is, how big its impact can be, how much
risk the organization is willing to take, and what resources it has.

Understanding Risk Appetite

Risk appetite means the amount of risk an organization is willing to accept while trying to achieve its
goals. It helps guide decisions on how to respond to risks.
Example:
• A bank may allow up to PKR 10 million loss per year due to fraud.
• If a risk is expected to cause PKR 8 million loss, the bank may accept it because it is within the
set limit.
• But if the loss could reach PKR 25 million, it is beyond the set limit. In that case, the bank must
reduce, transfer, or avoid the risk.

Four Risk Treatment Options

Organizations usually pick one of four main strategies depending on their risk appetite:
a) Risk Mitigation (Reduction)
b) Risk Avoidance
c) Risk Transfer
d) Risk Acceptance

a) Risk Mitigation (Reduction)

This means reducing the chance or effect of a risk by taking preventive measures. It cannot fully remove
the risk but lowers it to a safer level.
Common Mitigation Methods:
• Patching and Updates: Keep systems and software updated to fix weaknesses.
• Access Controls: Give people access only to what they need for their job.
• Employee Training: Teach staff about phishing, data safety, and cyber threats.
• Disaster Recovery & Continuity Plans: Prepare backup systems and plans to keep business
running if something goes wrong.
• Network Security: Divide networks and use encryption to keep sensitive data safe.

b) Risk Avoidance
This means completely avoiding a risky activity instead of trying to control it. It is used when the risk is
too high and cannot be reduced to an acceptable level.
Example:
A bank may avoid entering the cryptocurrency business if laws and regulations are unclear, so it does not
face unnecessary compliance risks.

c) Risk Transfer
This means passing the risk to another party, often through contracts.
Examples:
• Buying cyber insurance to cover financial losses from hacking.
 • Outsourcing data storage to a company with stronger security systems.

d) Risk Acceptance
This means the organization decides to live with the risk because it is small, or because fixing it would
cost more than the actual damage it may cause. The decision should be recorded and reviewed from
time to time.
Example:
Allowing small, rare system bugs in a non-important software that does not affect business much.

2.4 Risk Monitoring

Risk monitoring means keeping a close eye on IT systems all the time to catch new risks, threats, or
changes in the company’s security situation. By watching in real time, we can spot problems early before
they grow into major incidents.

Monitoring Tools and Approaches

• Security Information and Event Management (SIEM):
SIEM is like a security control room. It collects and studies data from the whole network to
quickly find unusual or harmful activities.
• Audits and Assessments:
These are regular “checkups” of the system. Audits make sure the company is following security
rules, while vulnerability assessments help discover new weak points in the system as it changes
over time.
• Real-Time Monitoring:
Tools such as intrusion detection systems (IDS), firewalls, and endpoint detection and response
(EDR) work like security guards. They continuously watch the network and devices, quickly
spotting anything suspicious or abnormal.

2.5 Incident Response Planning

No matter how strong a company’s risk management system is, problems (incidents) can still happen. An
Incident Response Plan (IRP) helps an organization quickly detect, control, and fix problems so that the
damage is as little as possible.
Components of an Incident Response Plan:
• Incident Classification: Incidents are divided into levels such as low, medium, high, and critical.
Each level has clear steps on how to handle and escalate it.
• Communication Protocols: Decide how and when to inform people about an incident, including
employees, customers, and regulators. Also, decide who will handle communication inside and
outside the company.
• Post-Incident Review: After the problem is solved, review what happened, find out the root
cause, check how well the team handled it, and identify what can be improved in the future.

Reporting and Documentation

Keeping detailed records of risks, actions taken, and incident responses is very important. Proper
documentation ensures clarity, accountability, and learning for the future. It also helps with audits,
compliance with laws, and better planning.
Reporting and Documentation Best Practices:
• Incident Reports: Write down details of what happened, how it was handled, and what recovery
steps were taken. These reports become a useful reference for future incidents.
 • Risk Registers: Maintain a list (register) of all identified risks, their level of seriousness, and the
steps being taken to reduce them.
• Compliance Records: Keep proper proof that the company is following required laws,
regulations, and industry standards (like GDPR, HIPAA, PCI DSS). These documents are needed to
show compliance when required

2.6 Scope of IT Risk Management (detail is available in next heading # 3 types of risk & mitigation)
IT risk management covers many important areas that can affect how an organization’s digital systems
work and stay safe.

Cybersecurity Risks
These are dangers from online attacks that try to steal, damage, or block access to data and IT systems.
Examples include:
• Hackers trying to break into systems without permission.
• Fake emails or messages (phishing) that trick employees into giving away passwords.
• Harmful software like viruses or ransomware that lock or damage data.
• Attacks that overload systems (DDoS), making them slow or unavailable.

Physical Infrastructure Risks

These risks are related to the physical IT equipment (servers, data centers, cables, etc.). Problems may
happen due to:
• Natural disasters like floods, fires, or earthquakes.
• Theft or damage caused by outsiders.
• Equipment failure, such as hardware breakdowns or power issues.

System Failures
These risks happen when IT systems stop working properly, causing downtime or loss of data. Examples
are:
• Hardware failures like server crashes.
• Software errors or outdated programs that are not fixed.
• Network breakdowns due to wrong settings or too much load.

Human Errors
Sometimes employees make mistakes that put systems at risk, such as:
• Setting up security controls incorrectly.
• Deleting important files by accident.
• Clicking on suspicious links or falling for online scams

3. TYPES OF IT RISKS & MITIGATION STRATEGIES

To manage IT risks properly, we first need to understand what kinds of risks exist. If these risks are not
handled well, they can disturb business activities, leak sensitive data, or damage trust. IT risks can come
from many sides; physical, digital, human, environmental, or even third parties.

3.1 Physical Risks

Physical risks are problems that affect the real, tangible IT equipment like servers, data centers,
computers, and network devices. Although these are physical issues, they can also affect digital systems,
leading to downtime, data loss, or interruptions in services.
Sub-Types of Physical Risks
• Natural Disasters
Events like floods, earthquakes, storms, or fires can damage IT buildings or cut power supply.
• Theft and Vandalism
People may steal or damage IT equipment such as laptops, servers, or cables. This can lead to
loss of data and interruption of services.
• Hardware Failures
Machines like servers or cooling units can stop working due to age, defects, or sudden power
surges.
• Power Outages
Unexpected loss of electricity, whether from the main grid or internal issues, can stop IT systems
from running.

Mitigation Strategies for Physical Risks

• Disaster Recovery and Business Continuity Plans
Prepare step-by-step plans to bring systems back online after disasters. Keep data backups in
safe locations far from the main site.
• Physical Security Measures
Use security tools like biometric locks, CCTV cameras, and guards to protect IT equipment. Store
laptops and portable devices in secure places.
• Hardware Redundancy and Maintenance
Keep backup systems (like extra servers) ready to take over if one fails. Regularly check and
maintain equipment to avoid sudden breakdowns.
• Power Backup Solutions
Use UPS (uninterruptible power supply) and backup generators to keep systems running when
electricity fails. Test them regularly.
• Geographic Diversification
Place critical IT systems in different locations so if one place is hit by a disaster, the other can
continue working.

3.2 Digital Risks

Digital risks are dangers that affect computer software, networks, databases, and other non-physical
parts of IT systems. Most of these risks are linked to cyberattacks and technical weaknesses. They can
seriously threaten the confidentiality (privacy), integrity (accuracy), and availability (accessibility) of data.

Sub-Types of Digital Risks

• Malware and Ransomware: (Mostly Viruses)
Malware is harmful software created to enter systems, steal information, or stop normal
operations.
Ransomware is a type of malware that locks (encrypts) data and asks for money to unlock it.
Phishing Attacks:
Fake emails, texts, or messages designed to get people sensitive information like passwords or
bank details. Sometimes make fake websites as its present like actual website to get user data.
• Data Breaches: (Hacking)
When unauthorized people gain access to private information because of weak security, poor
 passwords, or lack of encryption.

• Distributed Denial of Service (DDoS) Attacks:

Attackers many systems at a time to make too much traffic on the victim computer system so, it
crashes or becomes unavailable for other users. Usually targets websites and online services.
Zero-Day Exploits:
A cyberattack that takes advantage of a hidden flaw in software before the company even knows
it exists or has time to fix it.

Mitigation Strategies for Digital Risks

• Cybersecurity Defenses:
Install firewalls, antivirus, and intrusion detection systems to block threats. Keep all software
updated with the latest security patches.
• Employee Training and Awareness:
Train staff regularly to recognize phishing and other tricks. Run practice exercises (like fake
phishing emails) to test their awareness.
• Data Encryption:
Lock sensitive information using strong encryption so even if stolen, it cannot be read. Properly
secure encryption keys.
• Multi-Factor Authentication (MFA):
Add extra login steps (like a code on your phone) to make accounts harder to hack even if
passwords are stolen.
• DDoS Protection:
Use cloud services to absorb heavy fake traffic and keep systems running. Limit the number of
requests allowed at one time.
• Vulnerability Management:
Do regular security checks and ethical hacking (penetration testing) to find and fix weaknesses
before hackers do.
• Incident Response Plan:
Have a clear plan ready to quickly detect, control, and recover from an attack so damage and
downtime are minimized.

3.3 Human Risks

Human risks come from people’s actions, either by mistake (accidents) or on purpose (intentional harm).
These are dangerous because people are often the weakest part of any security system.

Sub-Types of Human Risks

• Negligence and Errors
These are unintentional mistakes, like setting up a system wrongly, deleting important files, or not
following security rules.
• Social Engineering (social media vlogs)
This is when attackers trick people into giving up information or access. Common tricks include fake
emails (phishing), lying to gain trust (pretexting), or offering fake freebies (baiting).
• Malicious Insiders
These are employees, contractors, or partners who purposely misuse their access. They might steal data,
damage systems, or help hackers.
• Lack of Awareness
When employees don’t know basic security rules, they may cause risks without realizing it, like using
weak passwords or sharing private data carelessly.

Mitigation Strategies for Human Risks

• Security Awareness Training
Regular training sessions to teach employees about safe practices, spotting fake emails, using strong
passwords, and handling data properly.
• Access Controls and Least Privilege
Only give employees access to the data and systems they need for their job. Use tools (like Role-Based
Access Control) to manage who can access what.
• Behavioral Monitoring
Use monitoring systems to watch employee activity and detect unusual behavior — like downloading too
much data or trying to enter restricted areas.
• Policies and Procedures
Create clear rules for passwords, data handling, and incident reporting. Check regularly (through audits)
that everyone is following them.
• Simulated Attacks
Test employees by sending fake phishing emails or running practice attacks to see if they fall for tricks.
This helps identify weak areas.
• Exit Procedures
When an employee leaves, immediately cancel their access, take back company devices, and make sure
they can’t use old logins to harm the company.

Sub-Types of Environmental Risks

• Power Outages:
When electricity is cut off because of problems in the power grid, storms, or damaged
infrastructure.
• Climate Change Impacts:
Extreme weather, rising temperatures, or flooding can damage IT systems or make it difficult to
keep data centers cool.
• Geopolitical Instability:
Political issues such as wars, sanctions, or trade restrictions can block access to important IT
services or equipment.
• Pandemics and Health Crises:
Health emergencies like COVID-19 can force employees to work from home, creating pressure on
IT systems and increasing cyber risks.

Mitigation Strategies for Environmental Risks

• Power Resilience:
Use UPS (Uninterrupted Power Supply) systems and backup generators to keep IT running during
blackouts. Consider renewable energy to reduce reliance on unstable power grids.
• Climate Adaptation:
Build data centers with energy-efficient cooling and choose safer locations with fewer chances of
extreme weather. Use modern tools to monitor weather and environmental conditions. (Cloud)
• Geopolitical Risk Planning:
Work with suppliers in different countries so that political issues in one region do not stop
business operations. Have backup plans for sanctions or trade restrictions.
 • Remote Work Security:
Protect employees working from home by using VPNs, secure devices, and strict IT policies to
avoid cyberattacks.
• Business Continuity Planning:
Include environmental risks in company recovery plans. This helps the business recover quickly
and reduces losses if a crisis happens.

3.5 Third-Party Risks

Third-party risks come from outside organizations such as vendors, cloud service providers, or business
partners who get access to a company’s IT systems. These risks are growing because companies today
depend a lot on suppliers and outsourced services.

SPOTLIGHT – Sub-Types of Third-Party Risks

• Vendor Security Weaknesses:
If a vendor (supplier) does not follow good security practices, hackers can use them to attack.
Cloud Misconfigurations:
Sometimes cloud services are set up incorrectly, which can make sensitive data public.
Supply Chain Attacks:
Hackers attack a company by first targeting its suppliers.
• Regulatory Non-Compliance:
If third parties do not follow laws or rules, the main company can get into legal trouble or pay
fines.
• Service Interruptions:
If a third-party service goes down, it can stop many dependent services.

Mitigation Strategies for Third-Party Risks

• Vendor Risk Assessments:
Check the security of vendors before working with them. Add clear security requirements in
contracts.
• Continuous Monitoring:
Use tools to regularly monitor how vendors are managing security and whether they are
following rules.
• Cloud Security Best Practices:
Ensure cloud systems are set up correctly, such as blocking public access to private files and
enabling activity logs.
• Supply Chain Security:
Secure all levels of the supply chain. Ensure every partner follows cybersecurity standards. Keep
a record of all software parts (SBOM – Software Bill of Materials).
• Contractual Safeguards:
Write clear rules in vendor contracts about data protection, incident reporting, and compliance.
• Redundancy for Critical Services:
Keep backup providers or in-house options ready so work continues even if a third-party service
fails.

3.6 Compliance and Regulatory Risks

Organizations that deal with sensitive financial or personal data must follow different laws and
regulations. If they fail to follow them, they can face heavy fines, legal actions, loss of reputation, and a
decline in trust from customers and stakeholders.
Key Regulatory Frameworks in Pakistan
• State Bank of Pakistan (SBP): Requires banks and financial institutions to use strong IT
governance, protect data, and maintain proper cybersecurity.
• Securities and Exchange Commission of Pakistan (SECP): Provides rules for cybersecurity to
make sure companies can resist cyberattacks and report incidents properly.
• Prevention of Electronic Crimes Act (PECA), 2016: Gives the government the power to
investigate and punish cybercrimes.
• Cyber Security Policy of Pakistan: Provides a national strategy to protect the country’s important
digital systems and information.
• Electronic Transaction Ordinance, 2002: Gives legal status to digital records, online contracts,
and electronic signatures.

International Bodies and Associated Risks

• Financial Action Task Force (FATF): Creates international rules to stop money laundering,
terrorist financing, and illegal fund movements.
• International Monetary Fund (IMF): Reviews countries’ financial systems and checks whether
they are following FATF standards.
• Pakistan and FATF Grey List: Pakistan has often been placed on FATF’s “grey list,” which causes
economic and reputation problems. These include:
• Lower foreign investment.
• Higher costs for international transactions.
• Stricter monitoring by global financial institutions.

Technology’s Role in Regulatory Compliance

To reduce risks and follow regulations, companies are now using advanced technologies:
• RegTech (Regulatory Technology):
• Automates compliance and reporting work.
• Uses AI to track regulatory changes and update company policies.
• AML & CFT Systems:
• Use machine learning to detect suspicious transactions.
• Apply data analytics for better KYC (Know Your Customer) and customer screening.
• Digital Forensics & Cybersecurity Tools:
• Help find and stop cyber threats in advance.
• Keep automated audit records to show compliance with cybersecurity laws.
• Blockchain & Distributed Ledger Technology (DLT):
• Provide transparent and tamper-proof records.
• Improve financial security and help regulators track transactions.

4. THE ROLE OF IT SECURITY

IT security is all about keeping computer systems, networks, and data safe from hackers, unauthorized
users, and system failures. As businesses use more digital systems, the need for strong IT security has
increased. Today, companies do not just use basic protections; they use multiple layers of security to stay
safe.
4.1 Foundational IT Security Measures
To stay protected, organizations should use different security layers, just like a house has locks, alarms,
and cameras.

Access Controls
Access controls make sure that only the right people can enter or use certain systems or data.
1. Role-Based and Attribute-Based Access Controls
• RBAC (Role-Based Access Control): Access is given based on a person’s job role (e.g., HR staff
can see HR data).
• ABAC (Attribute-Based Access Control): Access is given based on conditions like location,
department, or time.
2. Least Privilege Principle
• People should only get the minimum access they need to do their job. This reduces risk.
3. Multi-Factor Authentication (MFA)
• Users confirm their identity in two or more ways, such as:
• Password (something you know).
• One-time code or smart card (something you have).
• Fingerprint or face ID (something you are).
4. Privileged Identity Management (PIM)
• Some accounts (like admin accounts) have extra power. PIM helps manage them safely.
• Access is given only when needed.
• Extra access expires automatically.
• All activities are monitored.
5. Privileged Access Management (PAM)
• Focuses on protecting very sensitive accounts (like system admins).
• Stores and protects passwords.
• Records activities for monitoring.
• Blocks harmful commands.
6. Identity Governance Integration
• Combines access control tools with governance systems for better monitoring and
compliance.

Encryption Controls
Encryption protects data by turning it into unreadable code unless someone has the right key.
• AES-256 (Advanced Encryption Standard): Very strong encryption used for files, emails, and
cloud storage.
• PKI (Public Key Infrastructure): Uses two keys (lock & unlock) and digital certificates (like online
ID cards).

Incident Response
Incident Response (IR) is how companies prepare for, detect, and fix cyberattacks.

Incident Response Plan (IRP)

Steps:
1. Preparation: Train staff and set up tools.
2. Detection: Spot attacks early.
3. Analysis: Find out what happened.
 4. Containment: Stop the attack from spreading.
5. Eradication: Remove the threat.
6. Recovery: Restore systems safely.
Security Information and Event Management (SIEM)
• Works like CCTV for IT systems.
• Collects logs and alerts teams when suspicious activity happens.
• Example: If someone logs in from another country at midnight, SIEM alerts the team.

4.2 Advanced Security Technologies

With more advanced hackers, companies now use smarter tools.
Artificial Intelligence (AI) and Machine Learning (ML)
• Detect threats quickly by spotting unusual patterns.
• Work faster than traditional methods.
Zero Trust Architecture (e.g. in Army)
• “Trust no one.” Even internal users must prove their identity every time.
• Prevents attackers from moving easily inside the system.
Blockchain Technology
• Stores data in a way that cannot be changed.
• Useful for identity verification, supply chains, and audits.

4.3 Infrastructure-Level Security Controls

Hardware-Based Controls
• HSMs (Hardware Security Modules): Protect digital keys inside secure hardware.
• TPM (Trusted Platform Module): Ensures safe computer startup.
• Physical Security: Locks, CCTV, and restricted areas protect servers.
Network Security Controls
• Firewalls: Block unwanted traffic.
• IDS/IPS: Detect and stop malicious activity.
• VPNs: Secure internet connections.
• Network Segmentation: Divides networks into zones to limit attacks.
Endpoint Security
• Antivirus/Antimalware: Protects computers and phones.
• EDR (Endpoint Detection & Response): Detects threats in real time.
• MDM (Mobile Device Management): Keeps company data safe on mobile devices.

4.4 Policy and Governance Controls

Security Policies and Frameworks
• Rules like password policies, data protection policies, etc.
• Frameworks like ISO 27001, NIST, and COBIT guide organizations.
Audits and Compliance Monitoring
• Regular checks to make sure the company follows laws and standards (e.g., GDPR, HIPAA).
• Automated tools help monitor compliance.

4.5 Integrating Security with Enterprise Architecture

Security must be built into systems from the start.
• Secure SDLC: Test security at every stage of software development.
• DevSecOps: Add security into continuous development.
• CSPM (Cloud Security Posture Management): Fix cloud misconfigurations automatically.