Cybersecurityfundamentalcoursebyharischughtai 240105203648 7ab87d02

Cybersecurity Fundamentals
Instructor: Haris Chughtai (Linkedin)

dc.expert123@gmail.com
Dated: 2024
Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com)

● Course Outline
○ Cybersecurity - People, Process, Technology
○ Information Security Triad - CIA
○ Threat Surface, Threat Actors and their movies
○ Common Cyber Attacks
○ Governance, Risk & Compliance (GRC)
Cybersecurity Fundamental ○
○
○
Blue, Red & Purple teams
Cryptography (Encryption & Decryption)
Digital Signature & Certificates
○ Security Services - Firewalls, EDR/MDR/DR,
Course Content Email Protection, Cloud, Data, Application
Security etc
○ Security Management & Security Operations
Center (SOC)
○ Incident Response, Business Continuity Plan,
Disaster Recovery
Course developed
Course developed & delivered
& delivered by Haris Chughtai (dc.expert123@gmail.com)
by Haris Chughtai 2
U N D E R STAN D I N G CY B E R S E CU R ITY
● Cybersecurity is the practice of protecting systems, networks, and

programs from digital attacks
● In this section we will study the basics concepts of Cybersecurity
CourseCourse
developed & delivered
developed by Haris
& delivered by Chughtai (dc.expert123@gmail.com)
Haris Chughtai (dc.expert123@gmail.com) 3
Why Cybersecurity is important?
Cyberattacks are constantly increasing
Ref: Field Effect Cybersecurity 101 eBook
Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 4

What is Cybersecurity?
● Cybersecurity is not just about technology, rather it is a framework of People, Process & Technology designed
to protect systems, networks, programs, devices and data from cyber attacks.
► People need to understand the potential risks, their roles and responsibilities, and how their actions can
impact the overall security of the organization
► Process refers to the set of procedures and policies in place to guide the interaction between people and
technology
► Technology refers to the set of cybersecurity technologies deployed to provide the protection. Examples
include Firewalls, SIEM, AntiVirus/Endpoint Protection etc
● https://www.youtube.com/watch?v=n_kKEimNhgY

Cybersecurity CIA
● CIA Triad (Confidentiality, Integrity & Availability) is a model designed to guide policies for
information security within an organization.
● Confidentiality is roughly equivalent to privacy. Confidentiality measures

are designed to prevent sensitive information from unauthorized access
attempts. It is common for data to be categorized according to the amount
and type of damage that could be done if it fell into the wrong hands. More
or less stringent measures can then be implemented according to those
categories.
● Integrity involves maintaining the consistency, accuracy and

trustworthiness of data over its entire lifecycle. Data must not be changed
in transit, and steps must be taken to ensure data cannot be altered by
unauthorized people (for example, in a breach of confidentiality).
● Availability means information should be consistently and readily

accessible for authorized parties. This involves properly maintaining
hardware and technical infrastructure and systems that hold and display
the information.
Data Privacy & Protection
● Data privacy is a guideline for how data should be collected or handled, based on its sensitivity and importance. Data privacy is
typically applied to personal health information (PHI) and personally identifiable information (PII). This includes financial
information, medical records, social security or ID numbers, names, birthdates, and contact information.
○ Data Privacy defines the ability of a person to determine for themselves when, how, and to what extent personal
information about them is shared with or communicated to others.
● Data protection signifies the strategic and procedural steps undertaken to safeguard the privacy, availability, and integrity of
sensitive data, and is often interchangeably used with the term ‘data security.’

Authentication vs Authorization
● Authentication - The act of identifying
or verifying the eligibility of a station,
originator, or individual to access specific
categories of information.
● Authorization - The right or a

permission that is granted to a system
entity to access a system resource

Information Security Risk
● Information security risk reflects the potential adverse impacts that result from the possibility
of unauthorized access, use, disclosure, disruption, modification or destruction of information
and/or information systems.
● Risk Management - Identification, Assessment, Treatment etc. By applying risk management, we

were able to assess and prioritize the risks to an organization (e.g. asset vulnerabilities that can
be exploited by threats). An organization can decide whether to:
○ Accept the risk (ignoring the risks and continuing risky activities)
○ Avoid the risk (ceasing the risky activity to remove the likelihood that an event will occur)
○ Mitigate the risk (taking action to prevent
○ Reduce the impact of an event), or transfer the risk (passing risk to a third party)

Information Security Risk
Risk Matrix

Security Controls
○ Non-repudiation - The inability to deny taking an action such
○ Security Controls act as safeguards or as creating information, approving information and sending or
countermeasures prescribed for an receiving a message.
information system to protect the
confidentiality, integrity and availability of the In simple terms non-repudiation in information security is the
system and its information. Implementation of ability to prevent a denial in an electronic message or
security controls is expected to reduce risk to transaction.
an acceptable level
○ Three types of security controls

a. Administrative controls
b. Physical controls
c. Logical/Technical controls
i. MAC - Mandatory Access Control
ii. DAC - Discretionary Access Control
iii. RBAC - Role Based Access Control

CYB E R
TH R EAT ACTO R S
● In this section we will discuss some of the common cyber threat sources
and the risks they pose to organization’s digital assets
CourseCourse
developed by Haris
Threat Surface Threat Actors & Motivation
Attack Surface Definition: All the parts of your IT network where cyber
criminals could identify security gaps, holes, or other potential
vulnerabilities, and gain access.

Cybersecurity Common Attacks
● Common types of Cybersecurity Attacks
○ Eavesdropping, IP-Spoofing, MiTM (Man in the Middle )
○ Phishing, Whale-phishing, Spear-Phishing, Drive-by Download,
Trojan Horse, Botnets
○ Denial of Service (DoS)
○ Brute force, Password/Dictionary
○ URL interpretation, DNS-Spoofing
○ Trojan Horse
○ SQL Injection, Cross-Site-Scripting/XSS
○ Cryptojacking
○ Ransomware
● Some of technologies used for security enforcements to mitigate

cyber attacks
○ Firewalls, EDR/MDR/XDR, SIEM, SOAR, Vulnerability Assessment,
Penetration Tests etc
https://www.fortinet.com/resources/cyberglossary/types-of-cyber-attacks

Threat Actors & Risks
● Threat Actors: APT, Botnet/Zombies, Malware/Virus, Social
Engineering (Phishing, Vishing, Smishing), Ransomware, DDoS etc
● Cyber Risk: Cyber risk is based on the probability of a bad event

happening to your business's information systems, leading to the
loss of confidentiality, integrity, and availability of information

Advanced Persistent Threats - APTs
● An advanced persistent threat (APT) is a
well-resourced adversary engaged in
sophisticated malicious cyber activity that is
targeted and aimed at prolonged
network/system intrusion.
● APT objectives could include espionage,

data theft, and network/system disruption
or destruction.

CRYPTOG RAPHY
● Cybersecurity is framework of People, Process & Technology designed to

protect systems, networks, programs, devices and data from cyber attacks
● In this section we will discuss some of the commonly used encryption

technologies to provide data protection
CourseCourse
developed by Haris
Digital Encryption
● Encryption is a way to conceal information by altering it so that it appears to be random data.
Encryption is essential for security on the Internet.
● Encryption algorithm is the method used to transform data into ciphertext. Like a physical
key, it locks (encrypts) data so that only someone with the right key can unlock (decrypt) it.
● A cryptographic/encryption key is a string of characters used within an encryption

algorithm for altering data so that it appears random/cipher.

Types of Encryption
● Encryption is a very essential cybersecurity techniques as it provides various advantages including Privacy,
Security, Data Integrity and help compiling with government regulatory and compliance standard e.g. HIPAA,
GDPR, PCI-DSS etc
● There are two encryption mechanisms - Symmetric & Asymmetric
Symmetric - only one key used by sender & Asymmetric - different keys (Public & Private)
receiver for both encryption and decryption are used for encryption and decryption.
Symmetric Encryption
(same Key)

Key Differences of Symmetric & Asymmetric Encryption
https://www.youtube.com/watch?v=ERp8420ucGs

How Encryption helps securing Internet
● Encryption is foundational for a variety of technologies to keep communication secure
● Almost all newer application support encryption e.g. Email, WhatsApp, Instagram, Facebook, Signal, Telegram, Web Browsers
etc
● Encryption is especially important for keeping HTTP requests and responses secure. The protocol responsible for this is called
HTTPS (Hypertext Transfer Protocol Secure). A website served over HTTPS instead of HTTP will have a URL that begins with
https:// instead of http://, usually represented by a secured lock in the address bar.
● HTTPS uses the encryption protocol called Transport Layer Security (TLS). In the past, an earlier encryption protocol called
Secure Sockets Layer (SSL) was the standard, but TLS has replaced SSL. A website that implements HTTPS will have a TLS
certificate installed on its origin server.
● Understanding Encryption further
https://www.youtube.com/watch?v=TImdsUglGv4
https://www.youtube.com/watch?v=WqoJOD9_8WY

Digital Signature & Certificates
● A digital signature is a mathematical technique used to validate the authenticity and integrity of
a digital document, message or software.
● A digital certificate is a file or electronic password that proves the authenticity of a device,
server, or user through the use of cryptography and the public key infrastructure (PKI). Digital
certificate authentication helps organizations ensure that only trusted devices and users can
connect to their networks.
● The Public key infrastructure (PKI) is the set of hardware, software, policies, processes, and
procedures required to create, manage, distribute, use, store, and revoke digital
certificates and public-keys.

Organization can use Public or Private PKI
● Public PKIs are automatically trusted by

client software, while private PKIs must
be manually trusted by the user (or, in
corporate and IoT environments,
deployed to all devices by the domain
administrator) before any certificates
issued by that PKI can be validated.
● Understanding, Public, Private Leys &

PKI in further details
https://www.youtube.com/watch?v=0ctat6RBrFo

CYB E R S ECU R ITY S E RVICE S

● In this section we will discuss some of the commonly used technologies to

provide protection from cyber attacks
CourseCourse
developed by Haris
Security Services
● Network Security: Network security focuses on protecting an organization's computer networks
from unauthorized access, attacks, and data breaches. It involves the implementation of firewalls,
intrusion detection and prevention systems, virtual private networks (VPNs), and other technologies to
secure network infrastructure.
● Note: When talking about Network Security, keep in mind that WiFi has replaced many of our wired networks,
mainly because of its ease of use. However it also brings security issues, therefore securing Wi-Fi, e.g., using
WPA2, is very important.

Security Services
● Email Security: Email security involves the strategic set of measures and techniques used to
protect email-based communications, effectively preserving the confidentiality, integrity, and
availability of email messages.

Security Services
● Endpoint Detection & Response (EDR): EDR provides an organization with
the ability to monitor endpoints for suspicious behavior and record every
single activity and event. It then correlates information to provide critical
context to detect advanced threats and finally runs automated response
activity such as isolating an infected endpoint from the network in near
real-time.
● Xtended Detection & Response (XDR): is the evolution of EDR, Endpoint

Detection, and Response. While EDR collects and correlates activities across
multiple endpoints, XDR broadens the scope of detection beyond endpoints
to provide detection, analytics, and response across endpoints, networks,
servers, cloud workloads, SIEM, and much more.
● XDR provides a unified, single pane of glass view across multiple tools and
attack vectors. This improved visibility provides contextualization of these
threats to assist with triage, investigation, and rapid remediation efforts.
● Managed Detection & Response (MDR) MDR works by integrating a

security platform with analytics and expert-led services to provide threat
detection and response recommendations across cloud, hybrid, and
on-premises environments and endpoints. Typically it is a category of a
Security-as-a-Service offering, where an organization outsources some of its
security operations to a third-party Managed Security Service Provider.

Security Services
● Application Security: Application security is concerned with protecting software applications
from vulnerabilities and ensuring that they are developed, deployed, and maintained securely.
This involves code reviews, penetration testing, and the use of secure coding practices to
prevent exploitation of application weaknesses.
Users accessing

Security Services
● Data Security: Data security involves
protecting sensitive information from
unauthorized access, disclosure,
alteration, and destruction. This
includes encryption, access controls,
data loss prevention (DLP), and
backup strategies to ensure the
confidentiality and integrity of data.

Security Services
● SIEM- Security Information & Event Management:SIEM stands for
security, information, and event management. SIEM tools aggregate log
data, security alerts, and events into a centralized platform to provide
real-time analysis for security monitoring.
● SIEM technologies helps organizations detect, analyze, and respond to

security threats before they harm business operations
● Security operation centers (SOCs) invest in SIEM software to streamline

visibility of log data across the organization’s environments, automate
security workflows, detect and respond to cyber threats, and adhere to
compliance mandates.

Security Services
● IAM - Identity & Access Management: IAM is focused on managing and controlling user access
to systems and data. It involves authentication processes, authorization mechanisms, and the
enforcement of least privilege principles to ensure that only authorized individuals have access
to specific resources.

Security Services
● Cloud Security: With the increasing
adoption of cloud services, cloud
security has become a critical
component. It focuses on securing data,
applications, and infrastructure in cloud
environments. This includes
implementing access controls,
encryption, and monitoring for
cloud-based resources.
Cloud

S ECU R ITY MANAG E M E NT

● In this section we will discuss the typical teams and programs run to
protect organization’s digital assets
CourseCourse
developed by Haris
Cybersecurity Management/Governance
● Cybersecurity Management is a typical set of Security Activities Executed by the organization to
maintain their security posture to the adequate level
● Typical security activities involved in Security Management
○ Security Infrastructure - Implementing adequate information security controls
○ Security Prevention - Assuring security through vulnerability management and penetration testing (Red
& Blue teams)
○ Compliance and Compliance/Validation - Complying and validating with various standards (e.g. NIST,
ISO, GDPR, HIPAA, PCI-DSS, SOC-2, FedRamp etc)
○ Security Operations Center (SOC): 24x7 Monitoring, detecting & responding to the security incidents

Red, Blue, Purple Teams
● The Red, blue and purple teams simulate cyberattacks and incident
responses to test an organization's cybersecurity readiness.Their primary job
involves mimicking real-life security threats, identifying vulnerabilities,
enhancing information security, and strengthening defenses.
► Red — A red team is a group that pretends to be an enemy, attempts a

physical or digital intrusion against an organization at the direction of that
organization, then reports back so that the organization can improve their
defenses. Red teams work for the organization or are hired by the organization.
► Blue — The group responsible for defending an enterprise's use of

information systems by maintaining its security posture against a group of mock
attackers (i.e., the Red Team).
► Purple — Purple teams act as an intermediary that allows Red and Blue
teams to communicate. Purple teaming is a cybersecurity testing exercise in
which a team of experts take on the role of both red team and blue team, with
the intention of providing a stronger, deeper assurance activity delivers more
tailored, realistic assurance to the organization being tested.

Cybersecurity GRC
GRC - Governance, Risk & Compliance: GRC is a comprehensive
approach to manage organization’s cybersecurity that
incorporates three key components: governance, risk
management, and compliance.
► Governance — Aligning processes and actions with the

organization's business goals
► Risk — Identifying and addressing all of the organization's risks

❖ Risk = Impact * Probability
► Compliance — Ensuring all activities meet legal and regulatory

requirements
❖ Common Compliance Frameworks e.g. NIST, GDPR,
PCI-DSS, HIPAA, ISO, FedRamp, SOC

Cybersecurity Management
Security management covers all aspects of
protecting an organization's assets – including
computers, people, buildings, and other assets

Key Functions of a Typical SOC

Security Operations Center (SOC)

Incident Response (IR)
● IR is an organizational process that enables timely & effective response to cyber attacks
● Incident Response plan responds to abnormal operating conditions to keep the business
operating
● The four main components of Incident Response are:

○ Preparation
○ Detection and Analysis
○ Containment, Eradication and Recovery
○ Post-Incident Activity
● Incident Response teams are typically a cross-functional group of individuals who

represent the management, technical and functional areas of responsibility most directly
impacted by a security incident.

Business Continuity Plan (BCP)
● The main focus of business continuity is to keep the
operations running during crisis
● Components of the Business Continuity Plan (BCP)

include details about how and when to enact the plan
and notification systems and call trees for alerting the
team members and organizational associates that the
plan has been enacted
● The plan provides the team with immediate response

procedures and checklists and guidance for
management
● Business Impact Assessment (BIA) - Identify and

prioritize the risks

Disaster Recovery (DR)
● When both the Incident Response (IR) and Business Continuity (BC) plans fail, the Disaster Recovery
(DR) plan is activated to return operations to normal as quickly as possible
● The Disaster Recovery (DR) plan may include the following components:
○ executive summary providing a high-level overview of the plan
○ department-specific plans
○ technical guides for IT personnel responsible for implementing and maintaining critical
backup systems
○ full copies of the plan for critical disaster recovery team members, and checklists for certain
individuals
Understand the terminologies: High Availability (HA), Fault Tolerance (FT), Single Point of Failure (SPOF)

What’s Next?
(Additional Reference
Study & Practice Tools)
Course developed
by Haris Chughtai 43
Gain Additional Cybersecurity Knowledge to make a career
A. Start with Youtube Courses
a. Simplilearn Cyber Security Course (11 hours single video)
b. Edureka Cyber Security Training For Beginners (61 videos)
c. Google Cybersecurity Certification Course (18 videos)
B. Enrich your Theoretical Concepts from other online material

a. Codecademy - Introduction to Cybersecurity (3 Hours)
b. Fortinet Training Videos of FCF, FCA, FCP self-paced courses
c. ISC2 - Certified in Cybersecurity (CC) Course Material
d. Cisco Academy learning Study the free courses

Cybersecurity Practice Project & Tools
A. Student may pick one from this Youtube video
B. There are several free and open-source cybersecurity tools that students can use for hands-on learning and labs. Here's a list
of some popular ones:
● Wireshark: A network protocol analyzer that allows students to capture and analyze ● Snort: An open-source intrusion detection and prevention system
the data traveling back and forth on a network. (IDS/IPS) that can be used to detect and prevent network attacks.
● Nmap (Network Mapper): A powerful open-source tool for network exploration and ● OpenVAS: The Open Vulnerability Assessment System is a powerful
security auditing. open-source vulnerability scanner.
● Metasploit: A penetration testing framework that helps students develop and execute
● Hashcat: A password recovery tool that supports various hashing
exploit code against a remote target.
algorithms and can be used for password cracking.
● Kali Linux: A Debian-based Linux distribution specifically designed for digital forensics
● Cuckoo Sandbox: An open-source automated malware analysis system
and penetration testing. It comes pre-installed with various cybersecurity tools.
○ One of the best is Kali OS. Inside Kali lot of software are natively available in that can be used to analyze suspicious files and behavior.
there
○ Download its VM from https://www.kali.org/ and run and use there softwares ● OSINT Framework: A collection of various tools and resources for
open-source intelligence (OSINT) gathering.
● OWASP ZAP (Zed Attack Proxy): An open-source security tool for finding vulnerabilities
in web applications during the development and testing phase. ● Volatility: An open-source memory forensics framework that allows
students to analyze volatile memory dumps.
● Burp Suite Community Edition: A set of tools for testing web security. The Community
Edition is free and includes various features for web application security testing. ● Security Onion: A Linux distribution for intrusion detection, network
security monitoring, and log management.
● Ghidra: A software reverse engineering (SRE) framework developed by the National
Security Agency (NSA). It helps students analyze malicious code and understand ● YARA: A pattern-matching tool for identifying and classifying malwar
software internals.

Cybersecurity Certification to start career
A. Write at least a few of the following beginner level exams:
a. Certified in Cybersecurity (CC) - ISC2 (free for now)
b. Fortinet Certification of FCF &, FCA (free self paced training)
c. Google Cybersecurity Professional - (7 days free, later $49/month with access to all
courses and certifications - Financial aid option available)
d. Comptia Security+ (Paid but valuable)

8 Steps to start a fresh Cybersecurity career
1. Know the stuff - Develop intermediate level knowledge in your desired domain
2. Do a small project or Lab or use a freely available tools to polish your skills.
a. Here is a list of some of the resources
3. Obtain some career certifications as a proof that you know the stuff
4. CV - Build a ‘neat’ Resume
5. Create Linkedin Profile with ‘open to work’ to attract recruiters
6. Prepare well for the upcoming interviews
7. Have some Professional References handy
8. Start job Hunting - searching for a job is itself a full time job :-)
Good luck !

Train your brain to be
a growth mindset!
Keep learning, keep
growing
Course developed
by Haris Chughtai 48
Keep learning, keep growing
Learning is not attained by

chance; it must be sought for with
ardor and diligence.”
– Abigail Adams


Cybersecurityfundamentalcoursebyharischughtai 240105203648 7ab87d02

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cybersecurityfundamentalcoursebyharischughtai 240105203648 7ab87d02

Uploaded by

Copyright:

Available Formats

Cybersecurity Fundamentals

Instructor: Haris Chughtai (Linkedin)

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com)

● Cybersecurity is the practice of protecting systems, networks, and

● In this section we will study the basics concepts of Cybersecurity

Ref: Field Eﬀect Cybersecurity 101 eBook

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 4

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 5

● Conﬁdentiality is roughly equivalent to privacy. Conﬁdentiality measures

● Integrity involves maintaining the consistency, accuracy and

● Availability means information should be consistently and readily

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 7

● Authorization - The right or a

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 8

● Risk Management - Identiﬁcation, Assessment, Treatment etc. By applying risk management, we

○ Mitigate the risk (taking action to prevent

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 9

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 10

○ Three types of security controls

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 11

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 13

● Some of technologies used for security enforcements to mitigate

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 14

● Cyber Risk: Cyber risk is based on the probability of a bad event

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 15

● APT objectives could include espionage,

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 16

● Cybersecurity is framework of People, Process & Technology designed to

● In this section we will discuss some of the commonly used encryption

● A cryptographic/encryption key is a string of characters used within an encryption

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 18

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 19

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 20

● Understanding Encryption further

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 21

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 22

● Public PKIs are automatically trusted by

● Understanding, Public, Private Leys &

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 23

● Cybersecurity is framework of People, Process & Technology designed to

● In this section we will discuss some of the commonly used technologies to

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 25

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 26

● Xtended Detection & Response (XDR): is the evolution of EDR, Endpoint

● Managed Detection & Response (MDR) MDR works by integrating a

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 27

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 28

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 29

● SIEM technologies helps organizations detect, analyze, and respond to

● Security operation centers (SOCs) invest in SIEM software to streamline

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 30

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 31

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 32

● Cybersecurity is framework of People, Process & Technology designed to

● Typical security activities involved in Security Management

○ Security Infrastructure - Implementing adequate information security controls

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 34

► Red — A red team is a group that pretends to be an enemy, attempts a

► Blue — The group responsible for defending an enterprise's use of

Course developed & delivered by Haris Chughtai (dc.expert123@gmail.com) 35

► Governance — Aligning processes and actions with the

► Risk — Identifying and addressing all of the organization's risks

► Compliance — Ensuring all activities meet legal and regulatory