defining responsible personnel to report and deal with malware threats; (4) regular reviews of the software and data content of systems supporting critical activities . The presence of any unapproved