Firmware Security

Risks and Mitigation

Enterprise Practices and Challenges

Abstract
In 2016, reports of ransomware, Internet of Things (IoT) attacks and increased
cyberespionage have dominated headlines. Yet many vulnerabilities are present in an
area not frequently addressed within the infrastructure of almost all organizations:
firmware. In addition, as IoT devices proliferate, firmware, operating system and app
functionality become wholly entwined; the differentiation starts to blur.
This study attempts to identify how many firmware attacks are occurring and what is
being done to reduce enterprise risk from attacks targeting firmware. The results
reveal many interesting findings that indicate positives and negatives for cyber
security professionals. The survey, which used multiple-choice and Likert scale
formats, was organized in five major sections:
Demographics

Impact

Frameworks and standards

Conclusions

Security management and controls

FIRMWARE SECURITY RISKS AND MITIGATION

Table of Contents

List of Figures

Firmware Background

03

Description of the Survey Population

04

Frameworks and Standards

05

Security Management and Controls

Industry Representation

04

Figure 2

Geographic Representation

04

Figure 3

Prominent Frameworks

05

Figure 4

Compliance Audit Feedback

Regarding Firmware

06

Figure 5

Firmware Audit Compliance and

Effectiveness Correlation

07

Figure 6

Firmware Audit Compliance and

Control Implementation Correlation

07

Figure 7

Correlation Between Audit Feedback

and Attack Preparedness

08

Figure 8

Firmware Security Priorities and

Attack Occurrences Correlation

09

Figure 9

Correlation Between Monitoring

and Known Occurrences

09

Figure 10

Security Prioritization and

Preparedness Correlation

10

05

Conclusion

08

Acknowledgments

12

2016 ISACA. All Rights Reserved.

Figure 1

Firmware Background
Firmware. It is not often talked about. In fact, some might
say it is forgotten, overlooked, an afterthought. However,
that hard-coded software that is frequently stored in
ROM, flash, etc., is an extremely critical, vulnerable and
increasingly attractive entry point for hackers. Firmware
compromise can come from a bad actor introducing corrupt
firmware, or an original equipment manufacturer (OEM)
identifying vulnerabilities in previously trusted firmware. OEM
examples are not limited to small vendors or those new to
the market. Fortinet realized a large vulnerability this year
when a Secure Shell (SSH) back door was identified that
allowed users to log in with administrative privileges to
vulnerable devices.1 The vulnerability was a result of a design
feature, unlike Juniper, which discovered unauthorized
code in the ScreenOS that runs on many of their firewalls.
The code allowed for unauthorized administrative access
and also for decryption of virtual private network (VPN)
connections that could allow a bad actor to listen passively
to traffic that was thought to be encrypted.2
While firmware is not one of the most commonly reported
attack vectors, recent incidents such as those at Fortinet and
Juniper, as well as those of the Equation Groups attack on
drives and attacks such as Flame, which received extensive
media attention, have brought firmware into light as a
vulnerability, resulting in discussion focused on components
of platforms such as basic input-output system (BIOS) and
secure boot.

While attack impact can be extremely problematic for an

enterprise, the focus of the security team tends to be on
protecting assets that have a high likelihood of being
targeteddatabases or authentication credentials, for
example. Traditionally, it was easier for hackers to launch an
attack at software to steal this information than to successfully
penetrate an enterprises firmware assets. However, it is the
underlying systems, all the way down to the firmware layer,
that ultimately take responsibility for the systems hosting these
attractive data sets. With the evolution of operating system
(OS) and hypervisor security technologies, the bad actors are
changing their focus.
In addition, firmware maintenance is often considered an
operations function rather than a security concern. While
the security team may be alerted that a vulnerability is
discovered, nothing will be done if there is no process to
advise operations that a patch is required. Similarly, if
firmware is not part of a continuous security monitoring
process, no one will detect unauthorized changes, including
the introduction of malware at the firmware layer.
The data in this studys survey results indicate that
respondents are beginning to understand the potential
impact of a successful exploit against the enterprise
firmware; however, most respondents do not have a
holistic program in place to address firmware
vulnerabilities within their infrastructure.

For the most part, firmware is not built with security as a

priority. Functionality is, and once it is acquired it is easy to
forget about firmware. It is generally reliable, and if new
updates are produced by the vendor, they generally work.
But if firmware itself is forgotten it is easy to see why the
security considerations of firmware are frequently overlooked.

1 Gross, Garrett; Juniper ScreenOS Backdoor Eavesdropping, AlienVault, 11 January 2016, https://www.alienvault.com/blogs/security-essentials/juniper-screenos-backdooreavesdropping
2 Scholl, Derrick; Important Announcement about ScreenOS, Juniper, 17 December 2015, https://forums.juniper.net/t5/Security-Incident-Response/ImportantAnnouncement-about-ScreenOS/ba-p/285554

2016 ISACA. All Rights Reserved.

FIRMWARE SECURITY RISKS AND MITIGATION

Description of the
Survey Population
The populations invited to respond to the survey were
selected ISACA certification holders and members. Due to
the nature of the survey, the targeted population consisted
of individuals who have cyber security job responsibilities.
More than 750 individuals participated, of which 436
indicated that their primary job function is cyber security
or information security. The data represented in this report
reflect the information provided by those 436 individuals.
A typical respondent can be described as follows:
ISACA member: 81 percent
A holder of the Certified Information Security Manager
(CISM) (60 percent) and/or a Certified Information Systems
Security Professional (CISSP) (40 percent) credential
Geographically diverse: Have operations in North America
(49 percent), Europe (54 percent), Asia (38 percent)
Business sectors/industries: 22 percent in financial services,
26 percent in technology services/consulting
78 percent are in cyber security/information security
management while 21 percent are cyber security/information
security practitioners.
61 percent are employed in an enterprise with at least
1,500 employees.
While the norms of the sample population are interesting to
consider, it is important to note some of the characteristics of
respondents that are not in the majority. Among those
surveyed, respondents are employed in more than 20
industries (see figure 1) and have business operations in at
least four other major global regions (Latin America, Middle
East, Africa and Oceania) in addition to the majority areas
(see figure 2).

FIGURE

Industry Representation
WHICH OF THE FOLLOWING BEST DESCRIBES
YOUR BUSINESS INDUSTRY?
Retail/Wholesale/
Distribution

Utilities
Technology Services/
Consulting

Transportation
Education/
Student
Insurance
Other
Manufacturing/
Engineering

Health Care/
Medical

Financial/
Banking

Telecommunications/
Communications
Government/
Military-National/State/Local

FIGURE

Geographic Representation
PLEASE INDICATE THE REGIONS IN WHICH YOUR
COMPANY CURRENTLY OPERATES.

49

38%

Asia

North America

33%

18%

25%

Oceania

Middle
East

Latin
America

54%
Europe

2016 ISACA. All Rights Reserved.

24%
Africa

FIRMWARE SECURITY RISKS AND MITIGATION

Frameworks and
Standards

FIGURE

Security has no shortage of frameworks and standards. In fact,

respondents reported use of more than 20 distinct frameworks
or standards to manage risk to hardware and firmware within
the information security program.
However, the most common standard by far was
International Organization for Standardization/
International Electrotechnical Commission (ISO/IEC)
27001, with 74 percent of respondents reporting that it is
used in their enterprise (see figure 3). The next closest was
COBIT 5 (28 percent), Payment Card Industry Data Security
Standard (PCI DSS) 3.0 (27 percent), National Institute of
Standards and Technology (NIST) SP 800-53 (18 percent),
and NIST Cybersecurity Framework (CSF) (13 percent).

While frameworks and standards are critical for effective

governance and management, policies and executive support
set the tone for the enterprise, critically aiding or weakening the
effectiveness of the enterprise security program. That is true also

2016 ISACA. All Rights Reserved.

PLEASE SELECT THE SECURITY STANDARD/

FRAMEWORK(S) YOUR COMPANY HAS ADOPTED
FOR KEEPING CRITICAL SYSTEMS AND
INFORMATION SAFE.

ISO/IEC 27001
COBIT 5
PCI DSS 3.0
NIST SP 800-53 Rev 4
HIPAA
NIST CSF

While enterprise use of frameworks for general security

governance and management is overwhelmingly dominated by
ISO/IEC 27001, when it comes to frameworks used specifically
for firmware (implementation, monitoring and remediation), ISO/
IEC 27001s use percentage drops to 60 percent, though it is
still by far the most dominant, with COBIT 5 coming in with a
reported 19 percent use and PCI DSS 3.0 a reported18 percent.
A significant increase is in the unknown category, moving from
8 percent in general security framework use up to 20 percent
when it comes to guidance for firmware, indicating that of the
security professionals who do know which security frameworks
the enterprise uses, 12 percent do not know which, if any,
guidance is being followed for firmware security management.

Security
Management
and Controls

Prominent Frameworks

PCI
Other
CIS Controls for Effective Cyber Defense Version 6.0
Unknown
HITRUST CSF
Australian Top 35
FFIEC Assessment Tool
FFIEC Examiners Handbook
NSA Top 10
UK ICO Protecting Data
UK Cyber Essentials
NERC CIP
GCHQ 10 Steps
FedRAMP
0%

20%

40%

60%

80%

FIRMWARE SECURITY RISKS AND MITIGATION

in the selection of infrastructure and the management process

around it. Survey results show that in organizations where
security is a high priority in the hardware life cycle
approach, enterprises fare better in a few areas. Audit
reports show that these enterprises have fewer audit findings
in the area of firmware and are also more aware of their
vulnerabilities. For example, data in figure 4 show that 69
percent of enterprises that place a high priority in this area are
at least partially compliant and only 17 percent of that same
group received no feedback at all on firmware controls. On
the other hand, none of the enterprises that indicated that
security is not a priority in the hardware life cycle management
process reported being even partially compliant and a
whopping 67 percent received no feedback in their audit
report of this critical attack surface. It is evident that, in
many enterprises, hardware and firmware are being
overlooked from the beginning and through the audit
process, leaving many unaware if systems are
vulnerable or, worse, compromised.

fully compliant on audits relating to firmware integrity

monitoring, validation or firmware flaw remediation
report higher levels of effectiveness of their overall patch
management processes and procedures. Likewise, figure
6 demonstrates that 51 percent of those who did not
receive feedback in this audit category report that they
have not yet implemented controls for firmware integrity
monitoring, validation and/or firmware flaw remediation. Of
that 51 percent, 34 percent have no plans to implement
such controls, leaving the firmware vulnerability open.

The survey results demonstrate that audit timing is a key

variable in how enterprises are performing. As seen in
figure 5, 63 percent of the individuals who report being

In addition to having better audit feedback with which to

move forward, the enterprises that place a high level of
importance on security in the overall approach to life cycle
management do a number of things differently from the

FIGURE

It does appear from the data that, in addition to audit

timing, the relationship with the audit team impacts the
enterprises ability to prevent firmware attacks; as an
example, only 10 percent of respondents who received no
feedback from auditors on firmware controls felt mostly
prepared to respond to or mitigate firmware-based attacks,
compared to 39 percent of those who were receiving
feedback and had minor deficiencies, as seen in figure 7.

Compliance Audit Feedback Regarding Firmware

WHICH OF THE FOLLOWING CHOICES BEST DESCRIBE FEEDBACK YOUR COMPANY HAS RECEIVED VIA COMPLIANCE AUDITS
RELATED TO FIRMWARE INTEGRITY MONITORING, VALIDATION AND/OR FIRMWARE FLAW REMEDIATION?
100%
Fully Compliant,
No Deficiencies Exist

80%

Partially Compliant,
Minor Deficiencies
Exist

60%

Noncompliant, Material
Deficiencies Exist

40%

No Feedback Received
Regarding Firmware
Controls

20%

Unknown

0%
High Priority:
Security Is a Key
or Driving Criteria

Moderate Priority:
Security Is Considered
Among Other Key or
Driving Factors

2016 ISACA. All Rights Reserved.

Low Priority:
Security Is Considered
but Is Not a Key Factor

Not A Priority:
Security Is Not a
Consideration

Unknown

FIRMWARE SECURITY RISKS AND MITIGATION

enterprises that do not place high importance on security in

hardware life cycle management. For example, 84 percent
of enterprises in the high level of security category
include firmware in the enterprises patch management
system vs. only 49 percent of enterprises in the low level
of security category. Similar results occur relative to using
Trusted Platform Module (TPM) management tools (67
percent vs. 40 percent). Finally, only 19 percent of companies
who do not place a high level of importance in the overall
approach to security in hardware life cycle management do
not use tools to detect and log changes in firmware vs. 62
percent of enterprises that place a low priority on security in
hardware life cycle management (19 percent vs. 62 percent).
The enterprises that place priority on security in hardware life
cycle management also monitor more hardware and firmware
than enterprises that do not. To the authors knowledge, this
study is the first to objectively capture self-reported
firmware malware incidents from security professionals
around the world. More than half (52 percent) of the
studys participants who do place a priority on security
within hardware life cycle management report at least
one incident of malware-infected firmware being
introduced into a company system, and 17 percent
reveal that the incident had a material impact.

FIGURE

FIGURE

Firmware Audit Compliance

and Effectiveness Correlation
Highly
Effective

Effective

Substandard

Unknown

Total

Fully
Compliant, No
Deficiencies Exist

63%

29%

6%

2%

11%

Partially
Compliant, Minor
Deficiencies Exist

9%

78%

10%

3%

29%

Noncompliant,
Material
Deficiencies Exist

0%

42%

58%

0%

8%

No Feedback
Received
Regarding
Firmware Controls

6%

56%

35%

3%

36%

Unknown

6%

62%

10%

22%

16%

Total
Respondents

55

256

97

25

433

Firmware Audit Compliance and Control Implementation Correlation

Fully
Implemented

Partially
Implemented

Planning to
Implement Within
the Next 12
Months

Planning to
Implement Within
the Next 24
Months

Not Planning to
Implement

Unknown

Total

Fully Compliant,
No Deficiencies Exist

57%

31%

6%

2%

0%

4%

11%

Partially Compliant,
Minor Deficiencies Exist

15%

67%

6%

6%

3%

3%

29%

Noncompliant, Material
Deficiencies Exist

0%

30%

18%

24%

27%

0%

8%

No Feedback Received
Regarding Firmware Controls

4%

22%

10%

17%

34%

13%

36%

Unknown

4%

16%

4%

4%

7%

63%

16%

Total Respondents

56

155

35

46

72

69

433

2016 ISACA. All Rights Reserved.

FIRMWARE SECURITY RISKS AND MITIGATION

FIGURE

Correlation Between Audit Feedback and Attack Preparedness

60%
Fully Prepared

50%
Mostly Prepared

40%
Partially Prepared

30

20

10

Unprepared

Unknown

0%
Fully Compliant,
No Deficiencies
Exist

Partially
Compliant, Minor
Deficiencies Exist

Noncompliant,
Material
Deficiencies Exist

When it comes to the respondents that plan to implement

firmware controls over the next 12 to 24 months, 30 percent
say they have had firmware-malware introduced into corporate
systems, with 11 percent saying at least one occurrence
resulted in a material impact. Even among those who have no
plans to implement firmware controls, 11 percent say they have
had firmware-malware introduced into corporate systems, with
3 percent indicating at least one occurrence resulted in a
material impact (see figure 8).
These findings demonstrate that firmware attacks can no
longer be considered theoretical.
The group that does not prioritize security in the
hardware life cycle process has an extremely high rate of
no known malware occurrences (73 percent). In addition,
this group monitors quite a bit less than those who do, so the
data were tested to examine whether the high rate of no
known occurrences coincided with the lack of monitoring. In
fact, a causal relationship is indicated between those who do
not monitor and no known occurrences (see figure 9). This
group does not necessarily have fewer occurrences, it
may just not know what it does not know.
It is no surprise to find out that, regarding preparedness, the
enterprises that prioritize security as part of the life

2016 ISACA. All Rights Reserved.

No Feedback
Received Regarding
Firmware Controls

Unknown

cycle also feel more confident that they are prepared to

respond to an attack at this layer. In fact, 71 percent of
respondents in an enterprise that does not place importance
on security in hardware life cycle management feel unprepared
to deal with an attack at the hardware or firmware vs. just 5
percent of the population that does prioritize security in overall
hardware life cycle management (see figure 10).

Conclusion
The vulnerabilities associated with firmware are understood
by the security professionals represented in the survey.
Roughly half the respondents are at least partially using TPM,
and 69 percent report that security is at least a moderate
priority in the enterprises overall approach to hardware life
cycle management.
The study revealed that the relationship between audit and
the enterprise regarding firmware management is key. The
organizations that received valuable feedback during regular
compliance audits for firmware fared better than those that
did not in regards to preparedness for an attack at this layer,
implementation of controls for firmware, and overall patch
management processes. Organizations should work to build
8

FIRMWARE SECURITY RISKS AND MITIGATION

FIGURE

Firmware Security Priorities and Attack Occurrences Correlation

100%

Unknown

80%

No Known
Occurrences

60%

Single Occurrence,
Immaterial Impact

40%

Single Occurrence,
Material Impact

20%

Multiple Occurrences,
Immaterial Impact

Multiple Occurrences,
Material Impact

High Priority:
Security Is a Key
or Driving Criteria

FIGURE

Moderate Priority:
Security Is Considered
Among Other Key or
Driving Factors

Low Priority:
Security Is
Considered but Is
Not a Key Factor

Not A Priority:
Security Is Not a
Consideration

Unknown

Correlation Between Monitoring and Known Occurrences

Multiple
Occurrences,
Material Impact

Multiple
Occurrences,
Immaterial Impact

Single
Occurrence,
Material Impact

Single
Occurrence,
Immaterial Impact

No Known
Occurrences

Unknown

Total

Client Devices Such as Laptops,

Smartphones or Tablets

6%

17%

10%

16%

40%

11%

51%

Servers and/or
Server-based Platforms

5%

19%

9%

14%

45%

8%

64%

Network Devices Such as Routers

or Switches

5%

18%

9%

12%

46%

9%

63%

Storage Devices Such as Hard

Drives or Storage Area Networks

5%

19%

9%

15%

44%

10%

50%

Deployed Internet of Things (IoT)

Devices

7%

34%

12%

17%

17%

12%

10%

Currently Not Monitoring,

Measuring or Collecting
Firmware Data

2%

5%

9%

2%

73%

9%

21%

Unknown

5%

7%

5%

4%

33%

45%

13%

Total Respondents

19

60

33

43

218

56

429

2016 ISACA. All Rights Reserved.

FIRMWARE SECURITY RISKS AND MITIGATION

relationships with the audit team to ensure that awareness

around firmware is audited and reported to help improve
overall asset protection.
Additionally, the factor of importance of security in the
enterprises approach to hardware life cycle management
showed to be a leading variable in determining how well
enterprises are managing the associated vulnerabilities with
firmware. The enterprises that place at a least a moderate
priority on security within the life cycle monitor more devices,
feel better prepared to deal with an attack at the firmware
layer and receive better feedback on their audit, enabling
them to continuously improve.
While it is a positive indicator that overall governance is
improving enterprises security posture, there are still significant
gaps in this area, including a significant number of enterprises
that are not monitoring for changes in enterprise firmware and
actually do not know whether they have had any successful
exploits that have introduced malware into enterprise firmware.
More than half of companies that place a priority on
security in the hardware life cycle reported at least
one incident of malware-infected firmware introduced
into a company system, with 17 percent indicating the
incident resulted in a material impact. This is a wake-up
call to all organizations that this is a real risk that needs
to be mitigated.

10
FIGURE

Some tips to prevent attacks on firmware for the enterprise include:

Wherever possible, look for manufacturers that allow the
enterprise to independently validate the integrity of their
devices (servers, network, storage, IoT).
Segregate devices into trust zones that allow the
organization to operate trusted devices separate from
untrusted or untrustable devices.
Establish a firmware update policy.
Because continuous monitoring is paramount, acquire
systems and technologies specifically for monitoring the
integrity of devices via the network, leveraging trusted
technologies like TPM.
Some tips to prevent attacks on firmware for manufacturers
include:
Publish known good values of the firmware so customers
can validate that they are running trusted code. Establish
integrity mechanisms so customers can validate that
systems are operating as intended.
Build in a capability for an auditable firmware update process.
Disable unused hardware interfaces. Disable consoles or
password-protect them.
Protect bootloaders, which start the firmware when the
device boots.

Security Prioritization and Preparedness Correlation

Fully Prepared

Mostly Prepared

Partially Prepared

Unprepared

Unknown

Total

32%

36%

24%

5%

4%

24%

Moderate Priority: Security Is

Considered Among Other Key or
Driving Factors

8%

26%

42%

12%

11%

45%

Low Priority: Security Is Considered

but Is Not a Key Factor

1%

6%

42%

49%

3%

24%

Not a Priority: Security Is Not a

Consideration

0%

6%

18%

71%

6%

4%

Unknown

6%

12%

6%

0%

76%

4%

Total Respondents

50

96

151

90

42

429

High Priority: Security Is a Key or

Driving Criteria

2016 ISACA. All Rights Reserved.

10

FIRMWARE SECURITY RISKS AND MITIGATION

ISACA
ISACA (isaca.org) helps global
professionals lead, adapt and assure
trust in an evolving digital world by
offering innovative and world-class
knowledge, standards, networking,
credentialing and career development.
Established in 1969, ISACA is a global
nonprofit association of 140,000
professionals in 180 countries. ISACA
also offers the Cybersecurity Nexus
(CSX), a holistic cybersecurity resource,
and COBIT, a business framework to
govern enterprise technology.

Disclaimer
This is an educational resource and is
not inclusive of all information that may
be needed to assure a successful
outcome. Readers should apply their
own professional judgment to their
specific circumstances.

Reservation of Rights
2016 ISACA. All rights reserved.

3701 Algonquin Road, Suite 1010

Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
www.isaca.org

Provide feedback:
cybersecurity.isaca.org/firmware
Participate in the ISACA
Knowledge Center:
www.isaca.org/knowledge-center
Follow ISACA on Twitter:
www.twitter.com/ISACANews
Join ISACA on LinkedIn:
www.linkd.in/ISACAOfficial
Like ISACA on Facebook:
www.facebook.com/ISACAHQ

2016 ISACA. All Rights Reserved.

11

FIRMWARE SECURITY RISKS AND MITIGATION

ACKNOWLEDGMENTS
ISACA wishes to recognize:

Lead Developer
Justine Bone
MedSec, USA

ISACA Board of Directors

Christos K. Dimitriadis

Ph.D., CISA, CISM, CRISC,

INTRALOT S.A., Greece, Chair

Theresa Grafenstine

CISA, CGEIT, CRISC, CIA, CGAP, CGMA,

CPA, US House of Representatives, USA, Vice-chair

Robert Clyde

CISM, Clyde Consulting LLC, USA, Director

Leonard Ong

CISA, CISM, CGEIT, CRISC, CPP, CFE, PMP, CIPM,

CIPT, CISSP ISSMP-ISSAP, CSSLP, CITBCM, GCIA,
GCIH, GSNA, GCFA, Merck, Singapore, Director

Andre Pitkowski

CGEIT, CRISC, OCTAVE, CRMA, ISO27kLA, ISO31kLA,

APIT Consultoria de Informatica Ltd., Brazil, Director

Eddie Schwartz

CISA, CISM, CISSP-ISSEP, PMP, WhiteOps,

USA, Director

Jo Stewart-Rattray

Jeff Spivey

CRISC, CPP, Security Risk Management Inc.,

USA, Director

Robert E Stroud

CGEIT, CRISC, Forrester Research,

USA, Past Chair

Tony Hayes

CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,

Queensland Government, Australia, Past Chair

Greg Grocholski

CISA, SABIC, Saudi Arabia, Past Chair

Matt Loeb

CGEIT, FASAE, CAE, ISACA, USA, Director

Cybersecurity Working Group

Eddie Schwartz

CISA, CISM, CISSP-ISSEP, PMP,

WhiteOps, USA, Chair

Niall Casey

Johnson & Johnson,

USA

Stacey Halota

CISA, CISSP, CIPP,

Graham Holdings, USA

CISA, CISM, CGEIT, CRISC, FACS CP,

BRM Holdich, Australia, Director

Tammy Moskites

Tichaona Zororo

Lisa OConnor

CISA, CISM, CGEIT, CRISC, CIA, CRMA, EGIT |

Enterprise Governance (Pty) Ltd.,
South Africa, Director

Zubin Chagpar

CISA, CISM, PMP, Amazon Web Services,

UK, Director

Rajaramiyer Venketaramani Raghu

CISA, CRISC, Versatilist Consulting India Pvt. Ltd.,

India, Director

CISM, Venafi, USA

Accenture, USA

Ron Ritchey

JPMorgan Chase & Co., USA

Marcus Sachs

North American Electric Reliability Corporation,

USA

Greg Witte

CISM, CISSP-ISSEP, PMP,

G2 Inc., USA

Rogerio Winter

Brazilian Army, Brazil

2016 ISACA. All Rights Reserved.

12