lOMoARcPSD|27222218

Security Management module

Cyber Security (University of East London)

Studocu is not sponsored or endorsed by any college or university

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)
 lOMoARcPSD|27222218

UEL-CN-7014 Security Management module

(31230)

Loro Moses William Wani,

Student ID Number: R2109D12694266,
Week 12, Assignment,
05 February 2022.

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)

 lOMoARcPSD|27222218

Table of Contents
INTRODUCTION..........................................................................................................................1
PART 1A: CYBER ATTACKS: ANALYSIS OF A REAL-WORLD INCIDENT ................................. 3 - 7
REFERENCES .............................................................................................................................8
PART 1B: CYBER KILL CHAIN ...............................................................................................9
PART 2: BUSINESS CONTINUITY AND DISASTER RECOVERY ........................... 9 - 11
PART 3: SECURITY MANAGEMENT .................................................................................. 12 - 16
REFERENCES ...........................................................................................................................17

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)

 lOMoARcPSD|27222218

PART 1A: CYBER ATTACKS: ANALYSIS OF A REAL-WORLD INCIDENT

1.0.Marriot International, March 2020

Introduction
Marriot International, Inc. Is an American multinational cooperation that owns, operates,
franchise and licenses residential accommodations, hotels, and timeshare properties.
The company was founded by J. Willard Marriott and his wife Alice Marriott, head
quartered in Bethesda, Maryland.
By the huge number of available accommodation rooms, Marriott is the largest hotel
chain with 30 brands and 7,642 properties containing 1,423,044 rooms in 131 countries
and territories.
In 2016 Marriott acquired the Starwood hotels group in what seemed to be a lucrative
business venture which later turned to be the biggest General Data Protection Regulation
fines issued so far.
After acquisition of Starwood hotels group, Marriott failed to detect inappropriate
security measures which created loophole for hackers to have access into the database.

Incident overview
In March 2020, Marriott made a press announcement declaring that contact details, like
names, mailing addresses, loyalty account numbers and other personal information of
about 5.2 million guests could have been exposed to data breach.

In the official statement, Marriot International, Inc noted that the issue involved a
software application the hotels under Marriott’s brands use to provide services to guests.
Late February 2020, internal security unit of the Franchise became aware that guest
information might have been accessed by hackers through login credentials of two
employees. The scruples activity is believed to have started in mid-January 2020.

From the investigations carried out by the company, compromised data include contacts
details like (name, phone number, email address, mailing address); Loyalty account
information for Marriott’s Bonvoy rewards program, including account numbers and
points balances; personal details such as (date of birth, gender, company/place of work);
partnerships and affiliations (linked airline accounts and frequent flyer numbers) and
preferences (language and room preferences).

The hotel further produced information that Bonvoy passwords, credit cards, driver’s
license, national identification numbers, credit cards and passport information were not
affected in the data breach.
However, after the compromise the login credentials that were compromised were
disabled, investigation began, heightened monitoring was implemented, and resources
were arranged to inform and assist guests.
The information exposed has provided data that could be used as a good raw material for
cybercrime.

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)

 lOMoARcPSD|27222218

This has not been the first time Marriott International got involved in data breach. In
November 2018, names, addresses, contact information and passport numbers of about
300 million guests of Starwood hotel property were hacked. Then Marriott had just
acquired Starwood whose database with data of 500 million accounts was compromised,
the hacking may have been ongoing since 2014.

Below are recommendations by experts on security and forensics to guests who were
or suspected data breach.
Even though there has been no indication that any of the exposed data has been misused,
Marriott offered free personal information monitoring services to those affected through
IdentityWorks for a period of a year.
Though there were reports that Marriott Bonvoy account passwords were not accessed,
the security team recommended to update passwords associated with any Marriott
accounts or bookings as well as any bank or credit accounts used to make transactions
and reservations.
It has been noticed that majority of end users use the same passwords repeatedly and this
has caused problems in data breach.
End users are always reminded to be vigilant whenever anything is suspicious because
several employer affiliations were exposed in the Marriott data breach, Carbone is keen
that more uptick in cyber attacks against businesses whose employees’ data were
exposed.

Guests are advised to consider creating and using different email addresses for non-
essential purposes such as traveling or shopping. And this applies for phone numbers
such as to isolate primary information from unnecessary exposure.
In several data breaches, experts’ advice that consumers should consider freeze on their
credit reports to prohibit wrong people from taking out a credit card or loan from their
name. However, in Marriott’s recent data breach no financial information has been
exposed but any breach can be damaging if multiple pieces of information has been
leaked, it may require considering identity theft.
Credit freeze does not protect much from identity theft that is not related to opening up
credit account, including medical identity theft and scams in which criminals set up new
bank accounts.
Experts recommended end users to practice good cybersecurity habits such as avoid
clicking on links or opening attachments in emails where the sender is unknown.
Emails are common ways for fraudsters to gain access. Phishing emails are very common
ways hacks use to gain access.
End users should always use two-factor authentication to log into their accounts which
generally requires users to not only enter a password, but also confirm their identity by
logging onto their phone or entering a code texted or emailed to them.

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)

 lOMoARcPSD|27222218

Incident analysis
Marriott International has not brought majority of the data breach to the public so it
became difficult to ascertain the extend of the vulnerability caused by the expose.
The lodging company first became aware of the attack when a security tool flagged an
unusual database query. The tool was managed by a security enterprise called Accenture
who were running Information Technology and Info security for then Starwood before
the merger and continued to do for the legacy network afterwards.

It was discovered that a database query was made by a user with administrative rights,
but further investigation revealed that the owner of the account was not the one who
made the query and that some one else had managed to take control of the account.

Security forensics had to dig in for more clues and found out that a Remote Access
Trojan (RAT) along with MimiKatz, a tool used for sniffing out username and passwords
in system memory.
It’s believed that these two tools had given the hackers control of the administrator
accounts. However, it’s not clear how the Remote Access Tool was installed onto the
Starwood server, but such Trojans are normally downloaded from phishing emails and
it’s likely been the case.

Starwood had not had a good security system in place before Marriott acquire it and this
led the attack to go on undetected for long. And in fact, different attackers had breached
their systems earlier on and were not detected for 8 months.

These attacks showed security failing on the part of Marriott International, as the expose
could have caused disastrous personal impacts.
The mass theft of guest data is normally associated with cybercriminals aiming at
performing identity theft or making use of stolen credit card information.
Older publication from Washington Post and New York Times cited unnamed sources in
the United States of America government giving hints to hackers hired by Chinese
Intelligence Services.

American news outlets, The post and Times had access to a lot of information regarding
the hack and made it public.
They stated that the code and attack patterns used had matched up with techniques
employed by state sponsored Chinese hackers. The American government Intelligence
service were involved in the investigation and the sensitive nature of attack that could
partly explain why not much of technical details were released to the public.

Another reason to believe this data breach is part of government attack other than
cybercrime is the fact that none of the million of valuable data have ended up for sale on
the dark web.
American government sources had speculated that it was part of a bigger Chinese effort
to gain access to huge amount of data on American government employees and
intelligence officers. Marriott International is five star preferred provider for the U.S.

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)

 lOMoARcPSD|27222218

government and military. The stolen passport numbers will be a good source of
information to track movements around the world.
The data breach on the server which resulted to millions of individuals information being
stolen but none of it ended on the dark web or being used for fraud was part of the same
campaign. The main goal was to create a huge database of information on American
government employees and agents that big data techniques can be used to analyze.

From previous information regarding data breach, Marriott has continued to face multiple
cases of lawsuits filed and due to failure of Marriott to acquire better security systems on
Startwood’s server. Accenture the third-party consulting company whom Marriott
outsourced all its IT operation has also been sued along with Marriott.
Marriott had a incurred $28 million in expense related to breach in March 2019, but
luckily the company cut it’s losses to $1 million. through Cyberinsurance which covered
much of the associated costs. Insurance against cyber attack is a new venture but paid off
for Marriott.
Earlier in July 2019 the company faced a harsher blow when the United Kingdom’s
Information Commissioner’s Office (ICO) levied a fine of £99 million for violating
British citizen’s privacy rights under the GDPR.
The British government through the ICO noted Marriott’s failure to set up proper security
on Starwood IT infrastructure hence Marriot is facing punishment for Starwood’s
mistakes.

That’s just the beginning, it’s estimated that direct costs and indirect losses caused by
customers shying away from the company in the future which will cost Marriott in
billions of dollars of lost revenue due to data breach.
analytics.

Lessons learned
It’s difficult to know all the details regarding the breach but there were important points
that should have come into focus before the hack as follows.
• Marriott International was found guilty of having basic security systems that
made it possible for attackers to easily have access into the hotel server for years.
The guest information was not encrypted and failure to keep keys for encryption.
• The bumpy deal and transition between Marriott-starwood and in a later stage the
management of the hotel fired Starwoods’s IT staff as well as continuing to use
poor security system acquired from Starwood. The big UK fine is a hint that
regulators will be holding post-merger corporations liable for these kinds of
issues.
• The hotel and hospitality businesses hold a lot of information and key insights
into the lifestyles, tastes, and relations of individuals but the travel industry is left
far hind when it comes to sectors like banking when it comes to cybersecurity and
needs to catch up as soon as possible.
• This data breach showed that even private individuals can easily become prey and
collateral damage of the spy vs. spy world of government espionage.
• This breach acts as a lesson to all the hospitality businesses to move and invest
heavily in improved detection and response-based systems and technologies such

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)

 lOMoARcPSD|27222218

as deception based, endpoint detection and response, software defined

segmentation, and behavior.
• This data breach offers opportunity to understand the hackers and what drives
them through trying to identify the characters of the criminals in one breach and
helping to pre-empt others. This can reduce future data security risks and will
offer Marriott far more credibility.

Conclusion
It has now become very evident that Marriott International is undergoing terrible
reputation damages. If the previous data breaches had not damaged, its reputation surely
this second one did.
The General Data Protection Regulation fines issued in the previous data breaches to the
hotel showed serious shortcomings in their security systems, and it is obvious they still
pose a real threat to the personal information of their guests.

However, Marriott still has the opportunity to repair its reputational damage inflicted by
the data breach through shaping the future for the better and being seen on the forefront
for improved industry standard systems. It must seize this golden opportunity to turn a
great negative into a positive good.

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)

 lOMoARcPSD|27222218

References
https://thepointsguy.com/news/marriott-data-breach-march-2020/
https://dataprivacymanager.net/new-marriott-breach-2020-what-is-going-on/
https://en.wikipedia.org/wiki/Marriott_International
https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-
happen-and-what-was-the-impact.html

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)

 lOMoARcPSD|27222218

PART 1B: CYBER KILL CHAIN

The concept of Kill chain was derived from a military concept of target identification, force
dispatch to target, decision, and order to attack the target and the destruction of the target.
Information Security, Cyber kill chain is a model for incident response teams, digital forensics
investigators and malware analysts to work in a chained manner.
It’s mainly about a concept of identifying a particular target, dispatching a force to the target,
deciding to attack the target, and then acting upon the target. And that’s how kill chain is used in
a military context.
Lockheed Martin took up this idea and applied it to information security context, a kill chain is a
systematic process to target and engage an adversary and create and their ability to create the
desired effect. Security analysts who are developing defensive counter measures as the case of
Marriott, it’s very important for them to study the kill chain. This gives them knowledge to think
in the same way as that of the attackers. Each stage of the kill chain is a large research area to
investigate and analyze. And in cases of cybersecurity incident, information security analysts try
to disrupt or deny the attacker the ability to perform that particular incident and by understanding
the different stages of the kill chain that an attacker might use can better identify where to detect
that activity, to mitigate, to prevent against and to put other defensive controls or mitigation
actions in place.
Cyber Kill chain mainly consists of 7 stages as shown in the diagram below.

Reconnaissance Identification, Selection and Profiling of Target.

Weaponize Coupling of Remote Access Trojan with an Exploit

into a deliverable payload called as Cyber Weapon.

Delivery Transmission of the cyber weapon to the

targeted environment

Exploitation Triggering the attacker’s payload on the target

system

Installation Installation of backdoor and maintaining

persistence.

Command & Outbound internet controller servers to

Control communicate with compromised host.

9
Data Exfiltration, Network Spreading, System
Act on Objective
Disruption.
Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)
 lOMoARcPSD|27222218

PART 2: BUSINESS CONTINUITY AND DISASTER RECOVERY

a) Fastly Content Delivery Network (CDN) internet outage in June 2021
Fastly is a cloud based computing company that provides Content Delivery Network
services to a range of websites.

CDNs are networks of servers and data centers distributed around the world that allow for
the transfer of assets needed for loading internet content.
However on the June 2021 there was an outage for about an hour which led to online
speculations that Fastly has fallen a victim to cyber-attack. But the company tweeted that
it identified a service configuration that triggered disruptions across its clusters of
machines globally. And noted that their global network will be back online.

b) Incident response and disaster strategies that companies affected by this event should
implement.
Major content delivery networks were affected by the internet disruption most especially
news sites and apps like CNN, HBO Max, Hulu, Reddit, the Guardian, the New York
Times, and many others who had to temporarily suspend services to customers.
This incident showed the importance of having incident and disaster strategies in place to
ensure business continuity in cases of eventualities.

The companies affected by the event should have used multiple CDNs so that when one
fails, they can easily switch to another. However, contracting multiple CDNS is very
costly due to lack of competition and having one CDN is huge risk because mistakes
happen.
The other strategy could be each company hosting their own website exclusively, but this
will cause much slower web browsing reminiscence of the days when dial-up modems
were in use.
This outage showed how concentrated crucial internet infrastructure are among small
number of companies.

10

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)

 lOMoARcPSD|27222218

c) Business Continuity' Information Security policy document for the event.

In the cybersecurity and IT world, there is a need of setting out clear business continuity
plans. Since organizations relay on IT team in case something goes wrong to recover
operations as fast as possible.
While many services were restored after the internet outage, several other websites
experienced longer response time as a residual effect of the outage.
Setting up a precise, concise, and organizationally appropriate disaster recovery plan is
very crucial for these kinds of instances such as the Fastly internet outage.
Coming up with such plan can be a hectic task but it’s highly suitable for an
organization’s head of IT.

Downtime is unacceptable in businesses and that’s when business continuity comes in

play. Downtime comes from differing sources such as cyberattacks, and natural disaster
and the plan is to keep the organization running at least at a minimal level during a crisis.
Business continuity maintains organization’s resiliency in responding a gently to an
interruption which saves money, time, and company reputation. A prolonged outage
causes financial, personal, and reputational loss.

It requires an organization to analyze potential areas of weaknesses and gather enough

key information such as contact lists and technical diagrams of systems that can be used
outside disaster situations. Undertaking the business continuity planning process, an
organization can improve its communication, technology, and resilience.

Legal compliance mighty be required in areas where increased regulation is needed so

it’s important to understand which regulations affect a given organization.
A complete disaster recovery plan includes contact information, stages to follow when
faced with variety of incidents and a well-documented guide. Business Continuity
outlines very clear guidelines for the organization on what should be done to maintain
operations running. When time for response arrives, there should be no question about
what to move forward with business processes.

Business continuity requires different levels of response. Not everything is critical so it’s
important to write out what is most important to keep running and which could be on
hold to come back later online later. It’s worth noting recovery time objectives.

The continuity process includes the whole organization from top management
downwards. Despite IT will be the department driving the business continuity, it’s
important to bring in top management to pass on key information to the whole
organization. Security is another important team player although these two groups work
normally separately, there a lot of information sharing across these departments. It’s

11

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)

 lOMoARcPSD|27222218

expected everyone should be aware of the basic steps on how the organization plans to
respond.

There are three main components of business continuity plan that organizations
should always know as discussed in detail.
Resilience.
Organizations should increase resilience by creating critical functions and infrastructures
with various disaster scenarios in mind through staff rotations, data redundancy and
maintaining surplus of capacity. Preparing organizations against disaster using different
scenarios can help to maintain essential services on location and off site without
interruption.
Recovery.
Quick recovery to restore business functions to normality after a disaster is very
important. Setting up recovery time objectives for each system, networks or applications
can help prioritize which should be recovered first. Other restoration strategies include
inventories, third party MOUs to take on organization activity and using rehabilitated
spaces for mission critical functions.
Contingency Plan.
There are procedures to follow and put in place for a lot of external scenarios and can
include a series of command that distributes responsibilities with the organization. The
responsibilities could be hardware replacement, leasing emergency office spaces, damage
assessment and contracting a third-party assistance.

Continuity Management.
The organization should designate who will manage the business continuity. For small
organizations an individual can be designated or the whole IT team for large
organizations. Business continuity management software will be a much better option,
the software can be cloud based or can be hosted on the premises to help create and
update plans and identify areas of errors.
Business continuity plan should always be update as the process keeps evolving with
updates and changes in technology. The organization should inform as many people as
possible the contents of the business continuity.
Implementation should not wait till time of disasters so the organization should carry out
regular training exercises so that the employees know what to expect and do during an
event of any actual disaster.
It’s always advisable to carryout business continuity testing to know if it will work out.
The testing can as a tabletop exercise where one staff will discuss what will happen in
case of an emergency. Intensive testing includes a full emergency simulation sometimes
it’s better to perform the testing without notice to mimic a crisis.
After the test, the organization should review how the whole process went and update the
plan. It’s very likely that some plans will go right, and other actions might need
readjusting and changes.
Organizations should carry out regular testing mostly especially if the business changes
in operations and staffing.
12

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)

 lOMoARcPSD|27222218

PART 3: SECURITY MANAGEMENT

1. Benefits of ISO/IEC 27001 certification
ISO 27001 is the only auditable international standard that defines the requirements of
information security management system (ISMS).
Information Security Management is a systematic approach consisting of processes,
technology and people that help protect and manage all organization’s information
through effective risk management.
ISMS are business driven risk assessments in ISO 27001 complaint which help identify
and treat security threats in organization’s appetite and tolerance.

Below are benefits of certifying to ISO 27001

Protection of organizations reputation from security threats

Organizations certify to ISO 27001 to avoid security threats this includes both cyber
criminals trying to break in, and data breaches caused by internal actors making mistakes.
The frame also ensures that the tools in place strengthen organization across the three
pillars of cyber security that’s people, processes, and technology.
The standard can also be used to identify the relevant policies needed for documentation,
technologies to protect the organization and training of staff to avoid mistakes.

Avoid Regulatory fines

ISO 27001 protect organizations from costly penalties associated with noncompliance
with data protection requirements such as General Data Protection Regulation (GDPR).
The framework has a lot in common with the GDPR and organizations can use its
guidelines to achieve and maintain compliance
The frame is also a suitable starting point for any number of regulations.

Reputation Protection
When an organization is ISO 27001 certified, it demonstrates to stakeholders that they
take information security seriously.
And this will bring in new businesses and improve on the organization’s reputation, in a
matter of fact some organizations will only work with other organizations that are ISO
27001 certified.
Due to increased cyber-attacks in the world, obtaining ISO 27001 certified on ISMS will
help protect the organization and will keep it out of the headlines.

13

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)

 lOMoARcPSD|27222218

Improve Structure and Focus

As the organization grows in operation and size of staffing, there will be a lot of
confusion about who is responsible for which information assets.
The standards help the organization by clearly setting out information risk
responsibilities. And it requires the organization to have annual risk assessments which
help to make necessary changes.

Reduce the need for frequent audits

ISO 27001 Certification is globally accepted, and this demonstrates its effectiveness in
security and hence reduces the need for repeated customer audits.

2. Discuss and explain an audit or what type of audit should be used for Marriot International,
March 2020.
Cybersecurity Audit
A cybersecurity audit is a tensive, comprehensive review of organization’s information
systems to ensure that all systems are operating smoothy and efficiently.

It was estimated by cybercrime experts that many businesses might end paying a staggering
$6 trillion by 2021 to cybercrime related breaches. As was the case for Marriott International
which suffered multiple cybercrime data breaches.
Cybersecurity audit can save organizations a lot of money as enforcement problems can
easily be noticed at an early stage that could have led to fines and potential risks.
Security audits help greatly businesses and organizations secure data, and confidential
information is appropriately maintained and managed.
Security Audit Check
A security Audit is also defined as a systematic review of all safety of information system of
an organization by measuring how well the systems meet the set criteria standards.
Security of physical configuration and environment, software, information management
processes and user practices are usually evaluated by carrying out complete examination to
reduce risks.

Safety audits are usually done to determine application of rules, such as Health Insurance
Portability and Accountability Act, Sarbanes-Oxley Law and the Law on the Breaches of
California Security that prescribe the treatment of information by enterprises.

Audit that should be used for Marriott International, March 2020.

Marriott International should have hired external auditors, the fact that most internal auditors
might not be very comfortable exposing company flaws.
These external audits are carried out by organizations to prove that it complies with industry
norms and standards.
Independent, neutral body conducts third party audits and the auditors participating are
without any partnership with the organization being audited. Organizations are advised to
have repeatable and updated security audit plan.

14

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)

 lOMoARcPSD|27222218

3. Risk Management process for Fastly Content Delivery Network (CDN) internet outage in
June 2021.
Risk management is simply defined as the process of identifying, assessing, and
controlling potential risks in order to reduce the negative impact on an organization.
These potential risks come from several sources including technology issues, financial
uncertainties, accidental and natural disasters, legal liabilities, and strategic management
errors.
An effective risk management process will help organizations identify risks which would
pose high threat to it through providing ways on how to handle them.
Risk Management also examines the relationship between risks and effects of the risks on
organization’s strategic goals.

The approach to managing risks is described as enterprise risk management because it

puts more emphasis on understanding risks in an organization.
It also focuses on internal and external threats, enterprise risk management (ERM) also
puts more emphasis on managing positive risks.
Positive risks are the opportunities that could increase business value or damage an
organization if not well looked after. Risk management is developed not to only get rid of
risk but also to preserve and add to organizations value by making smarter risk decisions.

Risk Management should be included into organization’s strategy, to marry the two
management of the organization need to do assessment and define the risk objectives.
That’s the amount of risk the organization is willing to accept as to realize it’s objectives.

The risk management process has been divided into three parts: risk assessment and
analysis, risk evaluation and risk treatment.
Below is a detailed explanation of the three components of risk management and should
be done to simplify the process.

Risk Assessment and Analysis

This is the first step where a risk assessment evaluates an organizations exposure to
unknown events that could have a negative effect on its operation and establishes an
estimate the event could have caused on the organization’s reputation and profits.
This helps inn protecting organizations assets, improving decision making and optimizing
operational efficiency to save money, time, and organizational resources.

Risk Evaluation
A risk evaluation is soon after risk assessment/analysis has been completed.
This stage compares the estimated risks against risk criteria that an organization has
already established.
Risk criteria includes all costs associated and benefits, socio-economic factors and legal
requirements and system errors.

15

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)

 lOMoARcPSD|27222218

Risk Treatment and Response

This the last step in risk management process and it’s the implementation of policies and
procedures that help reduce or minimize risks. Risk treatment also extends to risk transfer
and risk financing.
This stage is always an ongoing process, and it does not end once risks have been
identified and mitigated.
The policies are constantly revisited every year to ensure all the policies are updated and
relevant with the changing organizational strategy and plans.

16

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)

 lOMoARcPSD|27222218

References
https://searchdisasterrecovery.techtarget.com/definition/business-continuity
https://en.wikipedia.org/wiki/Business_continuity_planning
https://drj.com/journal_main/how-the-fastly-outage-demonstrates-the-importance-of-a-
business-continuity-plan/
https://www.cdw.com/content/cdw/en/articles/security/the-importance-of-incident-
response-and-disaster-recovery-planning.html
https://www.n-able.com/features/risk-management-process-definition
https://searchcompliance.techtarget.com/definition/risk-management
https://www.sciencedirect.com/topics/computer-science/risk-management-process

17

Downloaded by shnakal turingcollege.com (shnakal@turingcollege.com)