2020 3rd International Conference on Computer and Informatics Engineering (IC2IE)
IT Infrastructure Security Risk Assessment using the
Center for Internet Security Critical Security Control
Framework: A Case Study at Insurance Company
Heru Winarno, Fatah Yasin, Muhamad Aries Prasetyo, Fathur Rohman, Muhammad Rifki Shihab, Benny Ranti
Faculty of Computer Science,
Universitas Indonesia,
Depok, Indonesia
[email protected]
,
[email protected]
,
[email protected]
,
[email protected]
,
[email protected]
,
[email protected]
Abstract— PT. XYZ is an insurance company that currently
provides a variety of services using electronic systems in 80
service offices throughout Indonesia. At the end of 2019, the
company experienced an IT security incident. The core
application was hit by a malware attack that caused slow system
performance and disruption of insurance operational services.
These events have a negative impact on the company both
operationally and to customers, so that it becomes a serious
concern of management. Therefore, this research aims to see
how companies develop infrastructure to ensure the reliability
and improvement of IT security. The research methodology
used is a qualitative approach by collecting data through
documentation and interview studies. Based on the results of the
assessment, there were 16 out of 20 controls that exceeded the
threshold value. These results illustrate that the security of the
IT infrastructure of PT. XYZ is very weak. Therefore, the
company must carry out 13 recommendations for improvement
that will be carried out in stages. This research is expected to be
a lesson for other organizations especially insurance companies
to improve the reliability and security of IT infrastructure.
Keywords—critical security control center of internet security,
malware, risk assessment method, risk assessment, insurance
I. INTRODUCTION
PT. XYZ is a company engaged in insurance. The
company has provided various services using electronic
systems in 80 service offices throughout Indonesia.
Technology demands and the growing number of offices has
made this company do the digital transformation by utilizing
information technology. In the light of digital transformation,
information and technology (I&T) have become crucial in the
support, sustainability and growth of enterprise [1]. The IT
department has several main services in supporting the
company's business, including Core applications using the
company's internal network, e-Commerce web applications
for direct sales to customers, policy management applications
for major customers, as well as host-to-host integrated
applications both via the internet and VPN.
As a company conducting trade transactions using an
electronic system, the company must follow PP Number 80 of
2019 which regulates trade through electronic systems [2].
PT. XYZ needs to make sure that the existing IT infrastructure
complies with these regulations. Making the wrong decision
in designing, responding to incidents, or maintaining
infrastructure can severely harm a business [3].
PT. XYZ experienced a security incident at the end of
2019. The incident began when core application users felt a
significant decrease in application performance. Many
complaints come through the helpdesk or directly to the
978-1-7281-8247-6/20/$31.00 ©2020 IEEE
Authorized licensed use limited to: Mukesh Patel School of Technology & Engineering. Downloaded on March 18,2024 at 09:42:31 UTC from IEEE Xplore. Restrictions apply.
application developer staff. At first the application
development team assumed that this was a common thing.
Nevertheless they keep checking, that is by tracking the latest
deployment version and seeing what changes are made. Other
staff try to see the database whether locking or suspicious
activity has occurred.
On the first day there were still standard checks and no
concrete efforts had been made by the IT team. This complaint
still continues on the second day when the application is felt
to be slower, a process that is usually done half an hour can
take more than two hours. The IT team began an analysis of
the core application server. The core application has several
nodes so the IT team can alternately restart the service. On the
third day, the application is felt to be slower and cannot be
used for operations while each branch has a production target
by the end of the year.
Surrounding applications such as H2H, web e-Commerce
and other applications that are integrated with the main
application and use the service core cannot run. This causes
disruption and impacts directly to the customer. Complaints
that arise no longer come from internal employees, but also
from customers, and complained directly to the CIO and CEO.
The IT team took this problem very seriously and tried to
restart the application server alternately, the application had
felt better, but it did not last long. When everyone looks for
changes in the application, the CIO instructs the operational
team to see what is happening on the server. After further
checking, it was found that the application server was running
very slowly, due to very high memory and processor usage.
The application team tried to look at the server and found that
no antivirus was installed. The application team and the
operational team suspect that the server is infected with
malware. The two teams rebuilt the server architecture as
before, and installed the new environment. The application
can then run fine and return to normal.
All manager in the IT department are gathered by
management to find out the cause of the problem and hope
that the incident does not recur. The next decision is that the
IT department will conduct an assessment of the IT
infrastructure and fix existing weaknesses. This initiative is in
line with Applegate [3] which states that infrastructure
managers must reorganize the IT infrastructure they manage
after an incident occurs.
PT. XYZ reviews and evaluates the IT infrastructure
security conditions using the Critical Security Control of the
Center of Internet Security (CIS-CSC) framework in terms of
people, process and technology. The people, process and
404
 2020 3rd International Conference on Computer and Informatics Engineering (IC2IE)
technology aspects have been widely recognized as three
elements which are key to process improvement [4]. This
study aims to see how an insurance company can ensure the
reliability and security of IT infrastructure to maintain IT
services. The research contributes to both literature and
practice. For literature, this study investigates the level of IT
infrastructure security, especially in insurance companies in
Indonesia. For practice, this study can be a lesson for other
organizations especially insurance companies to improve the
reliability and security of IT infrastructure.
II. LITERATURE REVIEW
Business leaders are starting to realize the importance of
cyber security. According to a survey conducted by the
Computer Security Institute in 2007, 46% of respondents
consisting of companies and governments have experienced
security incidents in the past 1 year [3]. Managers must
develop defenses to protect important company assets and
information such as data, infrastructure components and
reputation. Maintaining the security of IT infrastructure needs
to pay attention to the situation, business, infrastructure,
targets and technology of the company [3]. The security
review and evaluation used has a different approach.
According to Applegate [3], a framework for managing a
company's infrastructure security requires design decisions,
implementing policies and developing procedures, and strong
execution. Steps that need to be suggested include (i) making
planned and deliberate security decisions, (ii) considering the
safety factor as a moving target, (iii) implementing change
practices in a disciplined manner, (iv) always educating
users, and (v ) use technical steps in stages according to
ability.
A. CIS-CSC
CIS-CSC (Center of Internet Security - Critical Security
Control) or also called CIS Controls is a collection of priority
activities derived from defense best practices in depth to
mitigate attacks on networks or systems [5].
The application of CIS-CSC needs to pay attention to the
scale of the organization which is generally divided into three
parts [5]. First, small and medium organizations that have
limited IT human resources or cyber security. Second,
organizations that have individuals who are responsible for
managing and protecting IT infrastructure. And third,
organizations that have employed cyber security personnel
who have specialized in various fields of security.
CIS Controls v7.1 is divided into three categories namely
basic, foundational, and organizational [5]. The basic
categories, consisting of CIS 1 to 6, require all organizations
to implement these controls for cyber defense readiness. The
foundational category, which consists of CIS 7 through 16,
provides many benefits and good actions for organizations by
implementing it. The final organizational category, which
consists of CIS 17 to 20, focuses on people and processes
involved in the world of cyber security [6].
Dutta [7] create a framework to facilitate the selection of
controls seen from three questions, what, where and why.
Organizations must be able to answer the question: What
controls does a company need for certain security functions?
Where is the adoption of the cyber security environment?
Why is this control effective in stopping attacks?
Authorized licensed use limited to: Mukesh Patel School of Technology & Engineering. Downloaded on March 18,2024 at 09:42:31 UTC from IEEE Xplore. Restrictions apply.
CIS Control can be implemented using the Center for
Internet Security Risk Assessment Method (CIS-RAM)
guidelines. CIS RAM guides risk assessment by providing
instructions, templates, examples and methods [8]. CIS RAM
strengthens the CIS CSC risk assessment framework.
B. Defensive Measures
In the face of cyber attacks that come from the external
and internal environment, organizations need to take
effective defensive measures [3], including:
1. Develop a good security policy and easy to understand
from the user's perspective. Some company security
policies that can be an example are policies regarding the
types of files or documents that can be downloaded by
employees, the obligation to activate security features
before the computer is connected to the network.
2. Install a firewall device.
3. Develop a user authentication scheme to control access
control of the IT infrastructure. Authentication can be in
the form of a password, digital certificate, or biometric.
4. Encrypt the corporate network (VPN).
5. Perform system patching and change management.
6. Build intruder detection and network monitoring tools.
This action needs to be evaluated continuously according to
the times, given the variety of threats and cyber attacks
evolve very quickly.
C. Malware
Malware or malicious software is a code or program that
is designed deliberately to damage or paralyze the functioning
of a system. According to [9] a number of attacks published
recently show that malware can be a quite critical problem for
industry, government, and individuals.
Some of the symptoms that indicate that the system is
affected by malware are slow computer speed or performance,
system hang, blank screen, computer system restart
continuously, erasing entire disk or drive, erratic screen
behavior, browser homepage change automatically, operating
system software modified [10].
Some malware generally enters via network transmission.
Malware infects vulnerable systems, and then spreads to one
or more systems; then becoming active on the host computer
depends on the nature of the code's content and ultimately
disrupts the host system's services.
According to the Indonesia Computer Emergency
Response Team (ID-CERT) report in 2018, Malware was
ranked 4th with a total of 9855 reports or 6.81% of the total
complaints. Fig. 1 shows complaints graph of cyber security
incidents in 2018.
Although a small percentage, if examined based on the
number of reporting, malware attacks are still one of the
highest cyber crime in Indonesia after spam.
405
 2020 3rd International Conference on Computer and Informatics Engineering (IC2IE)
INCIDENT MONITORING REPORT 2018
Spoofing/Phising
4%
Spam
26% HaKI/IPR
45%
Response
0%
Network Incident
13% Complaint
Malware Spam
7% 5%
Fig. 1. Complaints Graph of Cyber Security Incidents in 2018 [11]
III. RESEARCH METHODOLOGY
Many literature describes the framework for assessing the
security risks of IT infrastructure, but none of which describes
the framework used by companies especially insurance
companies and describes the results of the framework and the
experience gained in using the framework. This paper will
review the framework chosen by PT XYZ, assessment results,
and lessons learned from using this framework. The
methodology used in this research is the study of documents
and qualitative approaches through interviews.
Document studies refer to reports on the results of security
assessment. The interviews were conducted with several
interviewees including CIO, Head of IT Infrastructure,
Network Engineers, IT Consultants, and IT Staff Security
Specialists. Interview questions focus on:
1. What are the steps taken by PT. XYZ to improve the
security and reliability of IT infrastructure?
2. The method was used to conduct security assessments
and how to conduct the assessment?
IV. ANALYSIS AND DISCUSSION
The evolution of technology is the main driver of the
company to make changes and look for new innovations to
operate and increase business capacity. The technology
architecture needs to capture the transformation opportunities
available to companies through the adoption of new
technologies [12]. When IT plays an important role in
business and organization, companies must focus on
information security. Information security experts encourage
organizations to carry out information security risks [13].
Kaup Vijayananda [14] states that there are several industry
frameworks that have been recognized for use as guidelines
in conducting assessments, some of which are NIST
Cybersecurity Framework, IS0 27001, COBIT-5 and Critical
Security Controls from the Center of Internet Security (CIS-
CSC). The framework has several similar concepts but has
different ways of dealing with information security issues.
CIS CSC has easy to understand, good technical granularity,
and easy to implement [14]. PT. XYZ itself currently has
implemented ISO 27001 with the scope of the main
application. In the next section, the assessment process
carried out by PT. XYZ and lessons that can be drawn from
that experience.
Authorized licensed use limited to: Mukesh Patel School of Technology & Engineering. Downloaded on March 18,2024 at 09:42:31 UTC from IEEE Xplore. Restrictions apply.
A. Assessment Methodology
The methodology carried out by PT. XYZ in evaluating to
ensure the reliability and security of IT infrastructure is to
describe the current technology architecture, determine target
architecture, conduct gap analysis, then determine the
roadmap for implementing improvement activities.
The first thing to do is to review documents / guidelines
for IT infrastructure development, information gathering
related to network infrastructure and IT security,
understanding of current conditions and the constraints faced.
In determining target architecture, what is done is by
conducting an assessment of the current architecture and
recommendations for improvement, a group discussion forum
related to future needs with the architecture, policy, and
application developer teams. Gap analysis is to determine the
gap between current conditions and existing development
guidelines and define a plan to improve the results of the
assessment. Roadmap for the implementation of improvement
activities is the making of a gradual improvement plan for the
next 3 years, at this stage also determined technology
candidates / devices that can be used to improve infrastructure
and the required investment value.
The entire team is gathered and led by the infrastructure
team to agree on the hardware and software that is included
in the scope and an assessment of aspects of assessment based
on people, process, technology and risk is carried out. This is
interesting where PT. XYZ chose the CIS CSC framework to
carry out the evaluation. The CSC CIS framework becomes
a guide to get the current conditions, then provides target
architecture recommendations based on predetermined
threshold values. The next section will discuss how the
framework is used.
B. Implementation of the CIS CSC Framework
In using the CIS CSC framework the first thing that needs
to be done by PT. XYZ is determining the CIS CSC
implementation group (IG) [5]. There are three types of
implementation group, although according to CIS CSC
guidelines a company has more than 1000 employees entered
into IG3 but PT. XYZ chose to join the IG2 group because the
organization does not have security experts who specialize in
various aspects of cyber security. Organizations included in
the IG2 category are organizations that employ individuals
who are responsible for managing and protecting information
technology infrastructure, organizations supporting many
departments with different risk profiles based on their
functions and mission, and have regulatory compliance
responsibilities and the main concern is the loss of trust public
if a violation occurs. Based on these classifications, PT. XYZ
will implement 20 controls and 140 sub controls out of 171
existing sub controls.
The next step is to determine Tier Level, which is how an
organization views cyber security risks and the processes that
exist to manage those risks [8]. CIS CSC divides into 4 Tier
to determine how to do the assessment, namely Tier 1:
Partial, Tier 2 Risk Informed, Tier 3: Repeatable, Tier 4:
Adaptive. PT. XYZ considers the level of organizational
security management capabilities to be in Tier 1, because the
company does not yet have an IT information security
development plan. Handling IT information security issues is
still based on events. There has not been an evaluation of
information security risks at the system, device and
406
 2020 3rd International Conference on Computer and Informatics Engineering (IC2IE)

application level. In accordance with this level the steps in Asset Type Asset Name BO Steward
conducting an assessment follow the guidelines of CIS-RAM
with the following steps: Network
DC Firewall CIO Network Engineer
Device
1) Defining the scope and scheduling sessions.
Network DRC Firewall
2) Defining risk assessment criteria. CIO Network Engineer
Device Internet
3) Defining risk acceptance criteria.
4) Risk assessment (control-based)
a. Gather evidence.
b. Model the threats.
c. Risk evaluation.
5) Propose safeguards
a. Evaluate proposed safeguards.
In the defining the scope and scheduling session’s stage,
the information assets will be evaluated, determine the
business owner and steward who will provide evidence and
be interviewed for the valuation of the asset. [8]. Then a
scheduling is done to evaluate. In accordance with the [15] it
will be contained in the document. Table I shows the scope Fig. 2. Balance in Risk Analysis [8]
definition of asset type, asset name, business owner, and
steward. The stage of defining risk acceptance criteria is to
determine the minimum value of the security risk is
The defining risk assessment criteria stage is a numerical
acceptable. The most important thing in this determination is
statement and simple language used by organizations to
to consider that the likely impact must be acceptable to all
evaluate cyber security risks [8]. CIS RAM mentions the
parties affected and this value must be less than or equal to
basis for risk analysis with the formula "RISK =
the value of the results of the recommendation. The risk
POSSIBILITY x IMPACT". The impact of security breaches
acceptance score in the case of this assessment is 4. CIS RAM
is assessed internally and externally, that is, things that cause
provides guidance as shown in Fig. 2.
the organization cannot accomplish its mission or the
organization can endanger others. Impact to our mission is The blue image to calculate the risk score while the green
defined on scenarios that can disrupt the information image to calculate the safeguard risk score. Risk score will be
technology department becoming a business partner for compared with risk acceptance score, if the risk score is
businesses through the provision, improvement and greater then there must be recommendations for
utilization of information technology services. While Impact improvement to reduce the risk. Recommendations for
to Our Obligations is defined in terms of cyber attack improvement will be re-evaluated based on impact and
scenarios that can cause damage or leakage of customer data. likelihood to produce a safeguard risk score, the value must
Each scenario has a range of values from 1 to 3. The scenario be smaller or equal to the acceptance score. If the risk score
that has the lowest risk has a value of 1 while the highest risk is smaller than the acceptance score, the risk can be accepted.
is valued by number 3. The highest value of both impacts will In this assessment safeguard risk scores are not recalculated
be taken as the impact value. Chances are how often that risk but rather provide recommendations for things that need to
will arise. In Tier 1 CIS CSC provides a simple definition be done to reduce these risks.
guide with values from 1 to 3. PT. XYZ gives a value of 1 if
The next step is risk assessment and propose safeguard.
the scenario has never occurred, a value of 2 if the scenario
Risk assessment is performed by studying documents and
has occurred in the past 1 year, and a value of 3 if the scenario
interviews with stewards according to the documentation in
often occurs in the last 1 year.
the first step. Interviews were conducted to provide the
TABLE I. SCOPE DEFINITION likelihood and impact on each sub-control according to the
CIS CSC IG2 guidelines. Each sub control that has a value of
Asset Type Asset Name BO Steward more than 4 is given a recommendation by a consultant for
infrastructure improvement.
Information Arsitektur DC CIO Head Of Operation
Overall assessment results can be seen on Fig. 3. Based
Arsitektur
Information CIO Head Of Operation on the results of the assessment, there were 92 sub-controls
DRC
that exceeded the threshold value. Then the assessment team
Arsitektur makes the value of each control taken from the average value
Information CIO Head Of Operation
Kantor Pusat of the sub control. The result is that there are 16 out of 20
Server LDAP CIO Network Engineer controls that have values above 4. These results illustrate that
IT infrastructure security of PT. XYZ is weak.
Prod DB
Server CIO Database Engineer
Server
Network
DC Router CIO Network Engineer
Device

407
Authorized licensed use limited to: Mukesh Patel School of Technology & Engineering. Downloaded on March 18,2024 at 09:42:31 UTC from IEEE Xplore. Restrictions apply.
 2020 3rd International Conference on Computer and Informatics Engineering (IC2IE)
Fig. 3. Results of IT Infrastructure Security Risk Assessment
Fig. 4. Data Center Network Topology
TABLE II. IMPROVEMENT ACTIVITY ROADMAP
Year Activity
1 Strengthening IT architecture, assets inventory,
vulnerability management, security baselining,
implementation network devices and additional security
controls (stage 1), add human resources
2 Implementation network devices and additional security
controls (stage 2), human resources expertise training and
certification, security awareness, implementation network
devices and additional security controls, increase in human
resources, security baselining, security hardening (stage 1),
security incident response and handling, strengthening
security monitoring, Information security testing (stage 1)
3 Implementation network devices and additional security
controls (stage 3), security hardening (stage 2), secure
coding, information security testing (stage 2)
An interesting thing that is seen from the assessment
results is PT. XYZ already has a good ability to maintain
Authorized licensed use limited to: Mukesh Patel School of Technology & Engineering. Downloaded on March 18,2024 at 09:42:31 UTC from IEEE Xplore. Restrictions apply.
security from malware threats as evidenced by the value of
CIS Control 8 Malware Defense, but still has many
weaknesses such as account monitoring and control, secure
configuration control for hardware and software on mobile
devices, laptops, workstations and servers, data recovery
capabilities, implement a security awareness and training
program, secure configuration for network devices, such as
firewalls, routers and switches, incident response and
management. Based on the results of interviews weak
security awareness and lack of security control over mobile
devices, laptops, workstations, servers and network devices
coupled with a lack of security in the network topology can
cause malware to enter the server.
The network topology in Fig. 4 shows that currently there
are no security controls on access to the database server.
There is no zone separation between the DMZ and Server
Farm. There are no security control devices at the application
level for servers that can be accessed from the public /
internet. Firewall configuration is not optimal so that every
device can access the server through all ports.
Based on these conditions, there are recommendations for
improvement by monitoring all data center infrastructure
assets by the network operation center. In addition, it also
makes changes to network topology such as creating network
segmentation, controlling access between DMZs, server
farms and databases using an internal firewall, adding
security controls such as Network IDPS, Web Application
Firewall, and Internal Network IDS.
Recommendations for improving the assessment result
were then consulted with the CIO. Organizations must adjust
the implementation of the CIS Control based on appropriate
and reasonable considerations according to the organization's
resources, mission, and risks [5]. CIO's role is to choose
recommendations that are feasible / not feasible to be
implemented by the company.
C. Strengthening IT Infrastructure Security Roadmap
Based on the results of the recommended improvements
13 selected activities that need to be done, of course it can not
be done in a short time and IT investment needs can be met
408
 2020 3rd International Conference on Computer and Informatics Engineering (IC2IE)
immediately. For this reason, a roadmap for the
implementation of improvement activities needs to be made
where PT. XYZ determined the implementation of these
activities could be carried out in the next 3 years. Roadmap
on Table II illustrates how the implementation of the
recommendations for improvement is carried out in stages
and prioritized based on the most important needs in
accordance with the CIO's decision.
V. LESSON LEARNED
The lessons that can be drawn from what has been done
in this activity are:
1. Critical Security Control from the Center of Internet
Security can be used as a framework for evaluating the
security of IT infrastructure.
2. In the case of PT. XYZ, who adopted the Implementation
Group 2 category, had many recommendations and
things that needed to be done. According to the results of
the interview, CIS Control should be chosen again
according to the organization's ability to implement this.
3. The recommendations given are considered very well
and can help in improving the organization's ability to
provide services, but to implement all of these
recommendations requires adequate financial, human
resources, and human resource capabilities. According
to J. D. Hietala [16] organizations have limited budgets
to handle new security projects and can take advantage
of existing investments in security systems management
tools and IT. In this position the role of the CIO is very
important to choose the recommendations to be accepted
and priorities to be worked on or the recommendations
are not implemented so that it becomes a risk borne by
the organization.
4. The strategy that can be taken to ensure the availability
of funds and human resources is to make a roadmap for
working on recommendations. The roadmap also
functions as a CIO commitment to improve the security
of IT infrastructure.
5. According to interviews, the use of security tools can
help improve the security of IT infrastructure and
improve the efficiency of IT HR participation through
the automation features offered.
VI. CONCLUSION
The purpose of this research is to explore how an
insurance company assuring the reliability and security of IT
infrastructure. This research has outlined ways to identify and
evaluate information security risks. CIS CSC has sequential,
clear and straight forward steps in evaluating information
security risks. This research also has limitations because it is
a case study research, the results are less generalizable. Apart
from that, this research can be used as a lesson learned from
the condition of information security advancement in
insurance companies in Indonesia.
In the future, it is interesting to explore another security
assessment method such as COBIT-5. That is because PT.
XYZ has implemented COBIT-5 as an IT governance
Authorized licensed use limited to: Mukesh Patel School of Technology & Engineering. Downloaded on March 18,2024 at 09:42:31 UTC from IEEE Xplore. Restrictions apply.
framework. In addition, PT XYZ is interested in seeing IT
security from other frameworks as a comparison.
ACKNOWLEDGEMENT
This study was funded by the 2020 PUTI Research Grant,
Universitas Indonesia.
REFERENCES
[1] P. Copy and D. Lanter, COBIT 2019 Framework - Introduction and
methodology, ISACA, 2019.
[2] "PP NOMOR 80 TAHUN 2019: Perdagangan Melalui Sistem
Elektronik [Government Regulation Number 80 of 2019 concerning
Trading through Electronic Systems]," 18 February 2019. [Online].
Available:
https://jdih.setneg.go.id/viewpdfperaturan/P18728/PP%20Nomor%
2080%20Tahun%202019.
[3] L. Applegate, R. Austin and D. Soule, Corporate Information
Strategy and Management: Text and Cases, McGraw-Hill, 2009.
[4] M. &. P. A. &. P. A. Prodan, "Three New Dimensions to People,
Process, Technology Improvement Model," Advances in Intelligent
Systems and Computing, pp. 481-490, 2015.
[5] Center for Internet Security, "CIS Controls, Version 7.1," 2019.
[6] NNT, "Understanding The Basic CIS Controls: CSC 1-6.,"
[Online]. Available:
https://www.newnettechnologies.com/understanding-the-basic-cis-
controls-csc-1-6.html. [Accessed 19 4 2020].
[7] A. Dutta and E. Al-Shaer, "“What”, “Where”, and “Why”
Cybersecurity Controls to Enforce for Optimal Risk Mitigation," in
IEEE Conference on Communications and Network Security (CNS),
Washington DC, 2019.
[8] Center for Internet Security, "CIS Risk Assessment Method".
[9] A. M. Abuzaid, M. M. Saudi, B. M. Taib and Z. H. Abdullah, "An
Efficient Trojan Horse Classification (ETC)," International Journal
of Computer Science Issues, vol. 10, no. 2, p. 96, 2013.
[10] M. J. Joshi and B. V. Patil, "Computer Virus: Their Problems &
Major attacks in Real Life," International Journal of P2P Network
Trends and Technology, vol. 3, no. 4, p. 206, 2013.
[11] A. P. C. E. R. T. (APCERT), "APCERT Annual Report 2018,"
APCERT Secretariat, 2018.
[12] The TOGAF Standard, Version 9.2, US: The Open Group, 2018.
[13] N. Al-Safwani, Y. Fazea and H. Ibra-him, "ISCP: In-depth model
for selecting critical security controls," in Computers & Security,
2018.
[14] V. Kaup Vijayananda, "Implementing CIS Cybersecurity Controls
for the Department of Residence, Iowa State University," 2018.
[15] Center for Internet Security, "CIS RAM Workbook Version 1.0,"
2018.
[16] J. D. Hietala, "Implementing the Critical Security Controls," 2013.
409