Firmware Security

Risks and Mitigation

Enterprise Practices and Challenges

Abstract
In 2016, reports of ransomware, Internet of Things (IoT) attacks and increased
cyberespionage have dominated headlines. Yet many vulnerabilities are present in an
area not frequently addressed within the infrastructure of almost all organizations:
firmware. In addition, as IoT devices proliferate, firmware, operating system and app
functionality become wholly entwined; the differentiation starts to blur.
This study attempts to identify how many firmware attacks are occurring and what is
being done to reduce enterprise risk from attacks targeting firmware. The results
reveal many interesting findings that indicate positives and negatives for cyber
security professionals. The survey, which used multiple-choice and Likert scale
formats, was organized in five major sections:
Demographics Impact
Frameworks and standards Conclusions
Security management and controls
FIRMWARE SECURITY RISKS AND MITIGATION

Table of Contents List of Figures

Firmware Background 03 Figure 1 Industry Representation 04

Description of the Survey Population 04

Figure 2 Geographic Representation 04

Frameworks and Standards 05

Figure 3 Prominent Frameworks 05
Security Management and Controls 05
Compliance Audit Feedback
Figure 4 06
Regarding Firmware
Conclusion 08
Firmware Audit Compliance and
Figure 5 07
Acknowledgments 12 Effectiveness Correlation

Firmware Audit Compliance and

Figure 6 07
Control Implementation Correlation

Correlation Between Audit Feedback

Figure 7 08
and Attack Preparedness

Firmware Security Priorities and

Figure 8 09
Attack Occurrences Correlation

Correlation Between Monitoring

Figure 9 09
and Known Occurrences

Security Prioritization and

Figure 10 10
Preparedness Correlation

2016 ISACA. All Rights Reserved. 2

Firmware Background
Firmware. It is not often talked about. In fact, some might
say it is forgotten, overlooked, an afterthought. However,
that hard-coded software that is frequently stored in
ROM, flash, etc., is an extremely critical, vulnerable and
increasingly attractive entry point for hackers. Firmware
compromise can come from a bad actor introducing corrupt
firmware, or an original equipment manufacturer (OEM)
identifying vulnerabilities in previously trusted firmware. OEM
examples are not limited to small vendors or those new to
the market. Fortinet realized a large vulnerability this year
when a Secure Shell (SSH) back door was identified that
allowed users to log in with administrative privileges to
vulnerable devices.1 The vulnerability was a result of a design
feature, unlike Juniper, which discovered unauthorized
code in the ScreenOS that runs on many of their firewalls.
The code allowed for unauthorized administrative access
and also for decryption of virtual private network (VPN)
connections that could allow a bad actor to listen passively
to traffic that was thought to be encrypted.2
While firmware is not one of the most commonly reported
attack vectors, recent incidents such as those at Fortinet and
Juniper, as well as those of the Equation Groups attack on
drives and attacks such as Flame, which received extensive
media attention, have brought firmware into light as a
vulnerability, resulting in discussion focused on components
of platforms such as basic input-output system (BIOS) and
secure boot.
For the most part, firmware is not built with security as a
priority. Functionality is, and once it is acquired it is easy to
forget about firmware. It is generally reliable, and if new
updates are produced by the vendor, they generally work.
But if firmware itself is forgotten it is easy to see why the
security considerations of firmware are frequently overlooked.
1 Gross, Garrett; Juniper ScreenOS Backdoor Eavesdropping, AlienVault, 11 January 2016, https://www.alienvault.com/blogs/security-essentials/juniper-screenos-backdoor-
eavesdropping
2 Scholl, Derrick; Important Announcement about ScreenOS, Juniper, 17 December 2015, https://forums.juniper.net/t5/Security-Incident-Response/Important-
Announcement-about-ScreenOS/ba-p/285554
2016 ISACA. All Rights Reserved.
While attack impact can be extremely problematic for an
enterprise, the focus of the security team tends to be on
protecting assets that have a high likelihood of being
targeteddatabases or authentication credentials, for
example. Traditionally, it was easier for hackers to launch an
attack at software to steal this information than to successfully
penetrate an enterprises firmware assets. However, it is the
underlying systems, all the way down to the firmware layer,
that ultimately take responsibility for the systems hosting these
attractive data sets. With the evolution of operating system
(OS) and hypervisor security technologies, the bad actors are
changing their focus.
In addition, firmware maintenance is often considered an
operations function rather than a security concern. While
the security team may be alerted that a vulnerability is
discovered, nothing will be done if there is no process to
advise operations that a patch is required. Similarly, if
firmware is not part of a continuous security monitoring
process, no one will detect unauthorized changes, including
the introduction of malware at the firmware layer.
The data in this studys survey results indicate that
respondents are beginning to understand the potential
impact of a successful exploit against the enterprise
firmware; however, most respondents do not have a
holistic program in place to address firmware
vulnerabilities within their infrastructure.
3
FIRMWARE SECURITY RISKS AND MITIGATION

Description of the
1
FIGURE
Industry Representation
Survey Population WHICH OF THE FOLLOWING BEST DESCRIBES
YOUR BUSINESS INDUSTRY?
The populations invited to respond to the survey were
selected ISACA certification holders and members. Due to Utilities
Retail/Wholesale/
the nature of the survey, the targeted population consisted Distribution
of individuals who have cyber security job responsibilities. Transportation Technology Services/
Consulting
More than 750 individuals participated, of which 436 Education/
Student
indicated that their primary job function is cyber security
or information security. The data represented in this report Insurance

reflect the information provided by those 436 individuals. Other

A typical respondent can be described as follows:
Manufacturing/
ISACA member: 81 percent Engineering

A holder of the Certified Information Security Manager

(CISM) (60 percent) and/or a Certified Information Systems
Health Care/
Security Professional (CISSP) (40 percent) credential Medical

Geographically diverse: Have operations in North America

(49 percent), Europe (54 percent), Asia (38 percent) Telecommunications/ Financial/
Communications Banking
Business sectors/industries: 22 percent in financial services,
Government/
26 percent in technology services/consulting Military-National/State/Local

78 percent are in cyber security/information security

2
management while 21 percent are cyber security/information FIGURE
security practitioners. Geographic Representation
61 percent are employed in an enterprise with at least
1,500 employees.
PLEASE INDICATE THE REGIONS IN WHICH YOUR
While the norms of the sample population are interesting to COMPANY CURRENTLY OPERATES.
consider, it is important to note some of the characteristics of
respondents that are not in the majority. Among those
surveyed, respondents are employed in more than 20
industries (see figure 1) and have business operations in at
least four other major global regions (Latin America, Middle
East, Africa and Oceania) in addition to the majority areas
49
North America
% 38%
Asia
(see figure 2).

18%
Oceania
25%
33%
Latin
Middle
East
America

54% Europe
24%
Africa

2016 ISACA. All Rights Reserved. 4

FIRMWARE SECURITY RISKS AND MITIGATION

Frameworks and
3
FIGURE
Prominent Frameworks
Standards PLEASE SELECT THE SECURITY STANDARD/
FRAMEWORK(S) YOUR COMPANY HAS ADOPTED
Security has no shortage of frameworks and standards. In fact,
FOR KEEPING CRITICAL SYSTEMS AND
respondents reported use of more than 20 distinct frameworks
INFORMATION SAFE.
or standards to manage risk to hardware and firmware within
the information security program.

However, the most common standard by far was ISO/IEC 27001

International Organization for Standardization/
International Electrotechnical Commission (ISO/IEC) COBIT 5
27001, with 74 percent of respondents reporting that it is
used in their enterprise (see figure 3). The next closest was PCI DSS 3.0
COBIT 5 (28 percent), Payment Card Industry Data Security
Standard (PCI DSS) 3.0 (27 percent), National Institute of NIST SP 800-53 Rev 4
Standards and Technology (NIST) SP 800-53 (18 percent),
HIPAA
and NIST Cybersecurity Framework (CSF) (13 percent).

While enterprise use of frameworks for general security NIST CSF

governance and management is overwhelmingly dominated by
PCI
ISO/IEC 27001, when it comes to frameworks used specifically
for firmware (implementation, monitoring and remediation), ISO/ Other
IEC 27001s use percentage drops to 60 percent, though it is
still by far the most dominant, with COBIT 5 coming in with a CIS Controls for Effective Cyber Defense Version 6.0
reported 19 percent use and PCI DSS 3.0 a reported18 percent.
A significant increase is in the unknown category, moving from Unknown
8 percent in general security framework use up to 20 percent
when it comes to guidance for firmware, indicating that of the HITRUST CSF
security professionals who do know which security frameworks
Australian Top 35
the enterprise uses, 12 percent do not know which, if any,
guidance is being followed for firmware security management. FFIEC Assessment Tool

FFIEC Examiners Handbook

Security NSA Top 10

Management
UK ICO Protecting Data

UK Cyber Essentials

and Controls NERC CIP

GCHQ 10 Steps
While frameworks and standards are critical for effective
governance and management, policies and executive support FedRAMP
set the tone for the enterprise, critically aiding or weakening the
0% 20% 40% 60% 80%
effectiveness of the enterprise security program. That is true also

2016 ISACA. All Rights Reserved. 5

FIRMWARE SECURITY RISKS AND MITIGATION
in the selection of infrastructure and the management process
around it. Survey results show that in organizations where
security is a high priority in the hardware life cycle
approach, enterprises fare better in a few areas. Audit
reports show that these enterprises have fewer audit findings
in the area of firmware and are also more aware of their
vulnerabilities. For example, data in figure 4 show that 69
percent of enterprises that place a high priority in this area are
at least partially compliant and only 17 percent of that same
group received no feedback at all on firmware controls. On
the other hand, none of the enterprises that indicated that
security is not a priority in the hardware life cycle management
process reported being even partially compliant and a
whopping 67 percent received no feedback in their audit
report of this critical attack surface. It is evident that, in
many enterprises, hardware and firmware are being
overlooked from the beginning and through the audit
process, leaving many unaware if systems are
vulnerable or, worse, compromised.
The survey results demonstrate that audit timing is a key
variable in how enterprises are performing. As seen in
figure 5, 63 percent of the individuals who report being
4
FIGURE
Compliance Audit Feedback Regarding Firmware
WHICH OF THE FOLLOWING CHOICES BEST DESCRIBE FEEDBACK YOUR COMPANY HAS RECEIVED VIA COMPLIANCE AUDITS
RELATED TO FIRMWARE INTEGRITY MONITORING, VALIDATION AND/OR FIRMWARE FLAW REMEDIATION?
100%
80%
60%
40%
20%
0%
High Priority: Moderate Priority: Low Priority:
Security Is a Key Security Is Considered Security Is Considered
or Driving Criteria Among Other Key or but Is Not a Key Factor
Driving Factors
2016 ISACA. All Rights Reserved.
fully compliant on audits relating to firmware integrity
monitoring, validation or firmware flaw remediation
report higher levels of effectiveness of their overall patch
management processes and procedures. Likewise, figure
6 demonstrates that 51 percent of those who did not
receive feedback in this audit category report that they
have not yet implemented controls for firmware integrity
monitoring, validation and/or firmware flaw remediation. Of
that 51 percent, 34 percent have no plans to implement
such controls, leaving the firmware vulnerability open.
It does appear from the data that, in addition to audit
timing, the relationship with the audit team impacts the
enterprises ability to prevent firmware attacks; as an
example, only 10 percent of respondents who received no
feedback from auditors on firmware controls felt mostly
prepared to respond to or mitigate firmware-based attacks,
compared to 39 percent of those who were receiving
feedback and had minor deficiencies, as seen in figure 7.
In addition to having better audit feedback with which to
move forward, the enterprises that place a high level of
importance on security in the overall approach to life cycle
management do a number of things differently from the
Fully Compliant,
No Deficiencies Exist
Partially Compliant,
Minor Deficiencies
Exist
Noncompliant, Material
Deficiencies Exist
No Feedback Received
Regarding Firmware
Controls
Unknown
Not A Priority: Unknown
Security Is Not a
Consideration
6
FIRMWARE SECURITY RISKS AND MITIGATION

enterprises that do not place high importance on security in

5
hardware life cycle management. For example, 84 percent FIGURE
of enterprises in the high level of security category
Firmware Audit Compliance
include firmware in the enterprises patch management and Effectiveness Correlation
system vs. only 49 percent of enterprises in the low level
of security category. Similar results occur relative to using Highly
Effective Substandard Unknown Total
Trusted Platform Module (TPM) management tools (67 Effective
percent vs. 40 percent). Finally, only 19 percent of companies Fully
who do not place a high level of importance in the overall Compliant, No 63% 29% 6% 2% 11%
Deficiencies Exist
approach to security in hardware life cycle management do
not use tools to detect and log changes in firmware vs. 62 Partially
percent of enterprises that place a low priority on security in Compliant, Minor 9% 78% 10% 3% 29%
Deficiencies Exist
hardware life cycle management (19 percent vs. 62 percent).
Noncompliant,
The enterprises that place priority on security in hardware life Material 0% 42% 58% 0% 8%
Deficiencies Exist
cycle management also monitor more hardware and firmware
than enterprises that do not. To the authors knowledge, this No Feedback
Received
study is the first to objectively capture self-reported Regarding
6% 56% 35% 3% 36%
firmware malware incidents from security professionals Firmware Controls
around the world. More than half (52 percent) of the
studys participants who do place a priority on security
Unknown 6% 62% 10% 22% 16%
within hardware life cycle management report at least
Total
one incident of malware-infected firmware being Respondents
55 256 97 25 433
introduced into a company system, and 17 percent
reveal that the incident had a material impact.

6
FIGURE
Firmware Audit Compliance and Control Implementation Correlation

Planning to Planning to
Fully Partially Implement Within Implement Within Not Planning to
Unknown Total
Implemented Implemented the Next 12 the Next 24 Implement
Months Months

Fully Compliant,
No Deficiencies Exist
57% 31% 6% 2% 0% 4% 11%

Partially Compliant,
Minor Deficiencies Exist
15% 67% 6% 6% 3% 3% 29%

Noncompliant, Material
Deficiencies Exist
0% 30% 18% 24% 27% 0% 8%

No Feedback Received
Regarding Firmware Controls
4% 22% 10% 17% 34% 13% 36%

Unknown 4% 16% 4% 4% 7% 63% 16%

Total Respondents 56 155 35 46 72 69 433

2016 ISACA. All Rights Reserved. 7

FIRMWARE SECURITY RISKS AND MITIGATION
7
FIGURE
Correlation Between Audit Feedback and Attack Preparedness
60%
50%
40%
30 %
20 %
10 %
0%
Fully Compliant, Partially Noncompliant,
No Deficiencies Compliant, Minor
Exist Deficiencies Exist Deficiencies Exist
When it comes to the respondents that plan to implement
firmware controls over the next 12 to 24 months, 30 percent
say they have had firmware-malware introduced into corporate
systems, with 11 percent saying at least one occurrence
resulted in a material impact. Even among those who have no
plans to implement firmware controls, 11 percent say they have
had firmware-malware introduced into corporate systems, with
3 percent indicating at least one occurrence resulted in a
material impact (see figure 8).
These findings demonstrate that firmware attacks can no
longer be considered theoretical.
The group that does not prioritize security in the
hardware life cycle process has an extremely high rate of
no known malware occurrences (73 percent). In addition,
this group monitors quite a bit less than those who do, so the
data were tested to examine whether the high rate of no
known occurrences coincided with the lack of monitoring. In
fact, a causal relationship is indicated between those who do
not monitor and no known occurrences (see figure 9). This
group does not necessarily have fewer occurrences, it
may just not know what it does not know.
It is no surprise to find out that, regarding preparedness, the
enterprises that prioritize security as part of the life
2016 ISACA. All Rights Reserved.
Fully Prepared
Mostly Prepared
Partially Prepared
Unprepared
Unknown
No Feedback Unknown
Material Received Regarding
Firmware Controls
cycle also feel more confident that they are prepared to
respond to an attack at this layer. In fact, 71 percent of
respondents in an enterprise that does not place importance
on security in hardware life cycle management feel unprepared
to deal with an attack at the hardware or firmware vs. just 5
percent of the population that does prioritize security in overall
hardware life cycle management (see figure 10).
Conclusion
The vulnerabilities associated with firmware are understood
by the security professionals represented in the survey.
Roughly half the respondents are at least partially using TPM,
and 69 percent report that security is at least a moderate
priority in the enterprises overall approach to hardware life
cycle management.
The study revealed that the relationship between audit and
the enterprise regarding firmware management is key. The
organizations that received valuable feedback during regular
compliance audits for firmware fared better than those that
did not in regards to preparedness for an attack at this layer,
implementation of controls for firmware, and overall patch
management processes. Organizations should work to build
8
FIRMWARE SECURITY RISKS AND MITIGATION

8
FIGURE
Firmware Security Priorities and Attack Occurrences Correlation

100% Unknown

No Known
80%
Occurrences

Single Occurrence,
60% Immaterial Impact

Single Occurrence,
40% Material Impact

Multiple Occurrences,
20% Immaterial Impact

Multiple Occurrences,
Material Impact
0 %

High Priority: Moderate Priority: Low Priority: Not A Priority: Unknown

Security Is a Key Security Is Considered Security Is Security Is Not a
or Driving Criteria Among Other Key or Considered but Is Consideration
Driving Factors Not a Key Factor

9
FIGURE
Correlation Between Monitoring and Known Occurrences

Multiple Multiple Single Single

No Known
Occurrences, Occurrences, Occurrence, Occurrence, Unknown Total
Occurrences
Material Impact Immaterial Impact Material Impact Immaterial Impact

Client Devices Such as Laptops,

Smartphones or Tablets
6% 17% 10% 16% 40% 11% 51%

Servers and/or
Server-based Platforms
5% 19% 9% 14% 45% 8% 64%

Network Devices Such as Routers

or Switches
5% 18% 9% 12% 46% 9% 63%

Storage Devices Such as Hard

Drives or Storage Area Networks
5% 19% 9% 15% 44% 10% 50%

Deployed Internet of Things (IoT)

Devices
7% 34% 12% 17% 17% 12% 10%
Currently Not Monitoring,
Measuring or Collecting 2% 5% 9% 2% 73% 9% 21%
Firmware Data

Unknown 5% 7% 5% 4% 33% 45% 13%

Total Respondents 19 60 33 43 218 56 429

2016 ISACA. All Rights Reserved. 9

FIRMWARE SECURITY RISKS AND MITIGATION

relationships with the audit team to ensure that awareness
around firmware is audited and reported to help improve
overall asset protection.
Additionally, the factor of importance of security in the
enterprises approach to hardware life cycle management
showed to be a leading variable in determining how well
enterprises are managing the associated vulnerabilities with
firmware. The enterprises that place at a least a moderate
priority on security within the life cycle monitor more devices,
feel better prepared to deal with an attack at the firmware
layer and receive better feedback on their audit, enabling
them to continuously improve.
While it is a positive indicator that overall governance is
improving enterprises security posture, there are still significant
gaps in this area, including a significant number of enterprises
that are not monitoring for changes in enterprise firmware and
actually do not know whether they have had any successful
exploits that have introduced malware into enterprise firmware.
More than half of companies that place a priority on
security in the hardware life cycle reported at least
one incident of malware-infected firmware introduced
into a company system, with 17 percent indicating the
incident resulted in a material impact. This is a wake-up
call to all organizations that this is a real risk that needs
to be mitigated.
Some tips to prevent attacks on firmware for the enterprise include:
Wherever possible, look for manufacturers that allow the
enterprise to independently validate the integrity of their
devices (servers, network, storage, IoT).
Segregate devices into trust zones that allow the
organization to operate trusted devices separate from
untrusted or untrustable devices.
Establish a firmware update policy.
Because continuous monitoring is paramount, acquire
systems and technologies specifically for monitoring the
integrity of devices via the network, leveraging trusted
technologies like TPM.
Some tips to prevent attacks on firmware for manufacturers
include:
Publish known good values of the firmware so customers
can validate that they are running trusted code. Establish
integrity mechanisms so customers can validate that
systems are operating as intended.
Build in a capability for an auditable firmware update process.
Disable unused hardware interfaces. Disable consoles or
password-protect them.
Protect bootloaders, which start the firmware when the
device boots.

10
FIGURE
Security Prioritization and Preparedness Correlation

Fully Prepared Mostly Prepared Partially Prepared Unprepared Unknown Total

High Priority: Security Is a Key or

Driving Criteria
32% 36% 24% 5% 4% 24%

Moderate Priority: Security Is

Considered Among Other Key or 8% 26% 42% 12% 11% 45%
Driving Factors

Low Priority: Security Is Considered

but Is Not a Key Factor
1% 6% 42% 49% 3% 24%

Not a Priority: Security Is Not a

Consideration
0% 6% 18% 71% 6% 4%

Unknown 6% 12% 6% 0% 76% 4%

Total Respondents 50 96 151 90 42 429

2016 ISACA. All Rights Reserved. 10

FIRMWARE SECURITY RISKS AND MITIGATION
ISACA
ISACA (isaca.org) helps global
professionals lead, adapt and assure
trust in an evolving digital world by
offering innovative and world-class
knowledge, standards, networking,
credentialing and career development.
Established in 1969, ISACA is a global
nonprofit association of 140,000
professionals in 180 countries. ISACA
also offers the Cybersecurity Nexus
(CSX), a holistic cybersecurity resource,
and COBIT, a business framework to
govern enterprise technology.
2016 ISACA. All Rights Reserved.
Disclaimer
This is an educational resource and is
not inclusive of all information that may
be needed to assure a successful
outcome. Readers should apply their
own professional judgment to their
specific circumstances.
Reservation of Rights
2016 ISACA. All rights reserved.
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
www.isaca.org
Provide feedback:
cybersecurity.isaca.org/firmware
Participate in the ISACA
Knowledge Center:
www.isaca.org/knowledge-center
Follow ISACA on Twitter:
www.twitter.com/ISACANews
Join ISACA on LinkedIn:
www.linkd.in/ISACAOfficial
Like ISACA on Facebook:
www.facebook.com/ISACAHQ
11
FIRMWARE SECURITY RISKS AND MITIGATION

ACKNOWLEDGMENTS
ISACA wishes to recognize:

Lead Developer Jeff Spivey

CRISC, CPP, Security Risk Management Inc.,
Justine Bone
USA, Director
MedSec, USA
Robert E Stroud
ISACA Board of Directors CGEIT, CRISC, Forrester Research,
USA, Past Chair
Christos K. Dimitriadis
Ph.D., CISA, CISM, CRISC, Tony Hayes
INTRALOT S.A., Greece, Chair CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,
Queensland Government, Australia, Past Chair
Theresa Grafenstine
CISA, CGEIT, CRISC, CIA, CGAP, CGMA, Greg Grocholski
CPA, US House of Representatives, USA, Vice-chair CISA, SABIC, Saudi Arabia, Past Chair

Robert Clyde Matt Loeb

CISM, Clyde Consulting LLC, USA, Director CGEIT, FASAE, CAE, ISACA, USA, Director

Leonard Ong
CISA, CISM, CGEIT, CRISC, CPP, CFE, PMP, CIPM,
Cybersecurity Working Group
CIPT, CISSP ISSMP-ISSAP, CSSLP, CITBCM, GCIA, Eddie Schwartz
GCIH, GSNA, GCFA, Merck, Singapore, Director CISA, CISM, CISSP-ISSEP, PMP,
WhiteOps, USA, Chair
Andre Pitkowski
CGEIT, CRISC, OCTAVE, CRMA, ISO27kLA, ISO31kLA, Niall Casey
APIT Consultoria de Informatica Ltd., Brazil, Director Johnson & Johnson,
USA
Eddie Schwartz
CISA, CISM, CISSP-ISSEP, PMP, WhiteOps, Stacey Halota
USA, Director CISA, CISSP, CIPP,
Graham Holdings, USA
Jo Stewart-Rattray
CISA, CISM, CGEIT, CRISC, FACS CP, Tammy Moskites
BRM Holdich, Australia, Director CISM, Venafi, USA

Tichaona Zororo Lisa OConnor

CISA, CISM, CGEIT, CRISC, CIA, CRMA, EGIT | Accenture, USA
Enterprise Governance (Pty) Ltd.,
South Africa, Director
Ron Ritchey
JPMorgan Chase & Co., USA
Zubin Chagpar
CISA, CISM, PMP, Amazon Web Services,
Marcus Sachs
North American Electric Reliability Corporation,
UK, Director
USA
Rajaramiyer Venketaramani Raghu
CISA, CRISC, Versatilist Consulting India Pvt. Ltd.,
Greg Witte
CISM, CISSP-ISSEP, PMP,
India, Director
G2 Inc., USA

Rogerio Winter
Brazilian Army, Brazil

2016 ISACA. All Rights Reserved. 12