This is a CST 630 9040 Advanced Cyber Exploitation and Mitigation Methodologies (2228) Project 3 about Enterprise Network Security.
Topic: Cybersecurity System Security Report for Successful Acquisition.
Please write 13 pages of the Cybersecurity System Security Report for Successful Acquisition by strictly following assignment instructions/steps and a video scenario.
Here is the link for the video scenario: https://youtu.be/iZmbGPCxAlc
The 13-pages should be a double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations you will add as necessary.
The report’s first page should be an Executive Summary, a thorough overview of the report that highlights the key points.
The assignment instruction and steps are as follows,
Businesses involved in mergers and acquisitions must exercise due diligence in ensuring that the technology environment of the future organization is robust and adequately protects their information assets and intellectual property. Such an effort requires time and open sharing to understand the physical locations, computing environment, and any gaps to address. Lack of information sharing can lead to a problematic systems integration and hamper the building of a cohesive enterprise security posture for the merged organization.
Often, the urgency of companies undergoing a merger and acquisition (M&A) impedes comprehensive due diligence, especially in cybersecurity. This creates greater challenges for the cybersecurity engineering architect, who typically leads the cybersecurity assessment effort and creates the road map for the new enterprise security solution in the future organization. However, the business interest and urgency in completing the merger can also represent an opportunity for CISOs to use additional resources and executive attention on strategic security matters.
In this project, you will create a report on system security issues during an M&A. The details of your report, which will also include an executive summary, can be found in the final step of the project.
There are nine steps to the project. The project as a whole should take two weeks to complete. Begin with the workplace scenario and then continue to Step 1.
Step 1: Conduct a Policy Gap Analysis
As you begin Step 1 of your system security report on cybersecurity for mergers and acquisitions (M&A), keep in mind that the networks of companies going through an M&A can be subject to cyberattack.
Cybersecurity for Mergers and Acquisitions
The goal of successful mergers and acquisitions (M&A) of companies is to integrate the strengths of the two organizations while reducing or minimizing their liabilities to result in greater growth and profit margins for the newly formed organization.
In combining the two entities, the security risks that exist within the individual entities and how they will affect the newly formed organization must be considered. As part of the acquisition process, a cybersecurity due diligence review should be conducted in order to identify all corporate assets that have the ability to be compromised through unauthorized access. Next, the potential and currently documented risks must be identified and examined, respectively; these risks may take the form of internal risks, external risks, and supply chain risks (Kennedy & Nelson, 2016).
Reviewing records of compliance from regulatory bodies is an important step as well as conducting a comprehensive cybersecurity review of both entities; these activities will provide insight into the security posture of both companies. Audits and penetration testing of critical systems should be conducted, and a clear understanding of the cybersecurity cultures of the companies should be achieved.
Main areas of concern in M&A related to security include physical security, technical security, disaster recovery, and policy and awareness (Hartman, 2002).
Specific questions to be addressed include the following (Ernst & Young, n.d.) :
• How secure is the transaction? Can unauthorized users gain access to protected information?
• Are new threats introduced by the current threat posture as a result of this merger or acquisition?
• Are there any new cyber targets or vulnerabilities being introduced by the newly acquired intellectual property?
• Are due diligence and cyber risk profiling being conducted as it related to cybersecurity effectiveness?
• Do the new employees understand the cyber culture of the organization?
• Will the merger/acquisition be subject to governmental cyber concerns?
Ernst & Young. (n.d.). Cyber threat flash points: Mergers and acquisitions. http://www.ey.com/gl/en/services/advisory/ey-cybersecurity-cyber-threat-flash-points-mergers-and-acquisitions
Hartman, A. (2002). Security considerations in the merger/acquisition process. https://www.sans.org/reading-room/whitepapers/casestudies/security-considerations-merger-acquisition-process-667
Kennedy, R. B., & Nelson, W. D. (2016, November 2). Cybersecurity concerns in mergers and acquisitions. https://www.law360.com/articles/857627/3-cybersecurity-concerns-in-mergers-and-acquisitions
As you work through this step and the others, keep these questions in mind:
• Are companies going through an M&A prone to more attacks or more focused attacks?
• If so, what is the appropriate course of action?
• Should the M&A activities be kept confidential?
Now, look at the existing security policies in regard to the acquisition of the media streaming company. You have to explain to the executives that before any systems are integrated, their security policies will need to be reviewed.
Policy Gap Analysis
Companies put policies in place to define the rules under which employees should behave and system systems should be used. These standards govern the operations of the organization and enable the company to define the accountability of the employee as they conduct work for the company.
Policies can range from the number of hours an employee is expected to be in the office daily to the required format and frequency of system password management. A gap analysis can be performed to determine if a company is missing any policies that may be critical to ensuring the company maintains a formidable security posture (Jardine, 2014).
When performing a gap analysis, the current policies are examined while considering current and desired operational and security stance. Understanding where the company currently is and where it plans to go will ensure that all policies needed to support that future state are identified. Comparing these two states will reveal the current gaps that exist so that strategies for bridging the gaps can be selected, proper actions taken, current policies modified, and new policies enacted when appropriate (Mikoluk, 2013).
Jardine, J. (2014, July 22). Policy gap analysis: Filling the gaps [Blog post]. https://blog.secureideas.com/2014/07/policy-gap-analysis-filling-gaps.html
Mikoluk, K. (2013, July 23). Gap analysis template: The 3 key elements of effective gap analysis [Blog post]. https://blog.udemy.com/gap-analysis-template/
Conduct a policy gap analysis to ensure the target company’s security policies follow relevant industry standards as well as local, state, and national laws and regulations. In other words, you need to make sure the new company will not inherit any statutory or regulatory noncompliance from either of the two original companies. This step would also identify what, if any, laws and regulations the target company is subject to. If those laws are different from the laws and regulations the acquiring company is subject to, then this document should answer the following questions:
• How would you identify the differences?
• How would you learn about the relevant laws and regulations?
• How would you ensure compliance with those laws and regulations?
The streaming company that is being acquired has a current customer base of 150,000 users, who on average pay $14.99 in monthly fees. Based on the overall income, use PCI Standards DSS 12 requirements and the PCI DSS Quick Reference Guide to identify a secure strategy and operating system protections to protect the credit card data.
PCI Standards DSS 12 Requirements
The Payment Card Industry (PCI) Security Standards Council (SSC) has developed standards to protect the credit card payment data of cardholders. Any businesses that store, process, or transmit this data are governed by these security standards, and all technical and operational system components must comply with the rules set by the standards.
Control Objectives PCI DSS Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program 5. Use and regularly update antivirus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy 12. Maintain a policy that addresses information security
There are 12 core requirements associated with this compliance. The table below provides the PCI DSS requirements and the control objectives achieved by those requirements.
The six objectives of PCI DSS are directly relatable to the 12 PCI DSS requirements as shown in the table. Details specific to each requirement are outlined in the PCI DSS Quick Reference Guide at https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf
PCI DSS compliance to these standards helps to ensure that payments systems are safe from cyberattacks and that transactions conducted by those systems are secure (Ryan Technical Services, n.d.).
Ryan Technical Services (n.d.). PCI DSS compliance. http://ryantech.com/pci-dss-compliance
If a strategy is defined as “a method or plan chosen to bring about a desired future, such as achievement of a goal or solution to a problem” (Business Dictionary, n.d.), it then follows that a secure strategy is a plan that will achieve an organization’s security goals.
Just as the federal government has a cybersecurity strategy, individual businesses should also have a strategy defined for ensuring the protection of their corporate assets as well as their customers’ personal information. Secure strategy should include the policies, processes, and guidelines put in place by both the company as well as any other external compliance requirements related to the infrastructure of business operations. Methods for protecting critical information infrastructure should also be defined and included in a secure strategy (DHS, 2011).
Business Dictionary. (n.d.). Strategy. http://www.businessdictionary.com/definition/strategy.html
Department of Homeland Security (DHS). (2011, November). Blueprint for a secure cyber future. https://www.dhs.gov/xlibrary/assets/nppd/blueprint-for-a-secure-cyber-future.pdf
Operating System Protections
In order to take advantage of the capabilities provided by various computing devices, an operating system must be present to manage their resources and processes. And it is important to protect the functions of the operating system from unauthorized access and use. The operating system not only interacts with the system hardware, but it also communicates with software applications and external devices (Carnaghan, 2015).
Goals of protection not only include preventing malicious/misuse of the system but also minimizing possible damage and implementing effective security policies by both system administrators and users (Silberschatz et al., 2012; Bell, 2013).
In order to protect the operating system, access to the operating system must be controlled. The principle of least privilege is based on the premise that software, users, and systems be granted the minimum level of access required to effectively complete their tasks. This, in conjunction with the “need to know principle,” which states that computer processes should have the minimum level of access required to complete tasks over the minimum amount of time required to do so, offer good strategies to mitigate and reduce the possible occurrences of misuse (Silberschatz et al., 2012; Bell, 2013).
Based on the principle of least privilege, role-based access control (RBAC) is used to give permissions, or access privileges, to users and programs. In the RBAC model, access to system resources is based on predefined user roles (Carnaghan, 2015).
Computer processes/programs can be assigned protection domains that specify resources they have been given permissions to access, and each domain defines the type of access rights of that process to perform an operation (Silberschatz et al., 2012; Bell, 2013).
Bell, J. T. (2013). Operating systems course notes – protection. From Silberschatz, Gagne, and Galvin: Operating systems concepts (9th ed.). https://www.cs.uic.edu/~jbell/CourseNotes/OperatingSystems/14_Protection.html
Carnaghan, I. (2015, October 25). Operating systems security: Protection measures analysis [Blog post]. https://www.carnaghan.com/2015/10/operating-systems-security-protection-measures-analysis/).
Silberschatz, A., Gagne, G., & Galvin, P. B. (2012). Operating systems concepts (9th ed.). John Wiley & Sons.
Select at least two appropriate requirements from the PCI Standards DSS 12 set of requirements and explain how the controls should be implemented, how they will change the current network, and any costs associated with implementing the change.
This policy gap analysis will be part of the final Cybersecurity System Security Report.
In the next step, you will review the streaming protocols that the companies are using.
Step 2: Review Protocols for Streaming Services
After reviewing the policies from the company and the policy gap analysis, the M&A leader asks you about the protocols used by the streaming company. He wants to know if the protocols used would affect the current state of cybersecurity within the current company environment. For this section of the report, review the protocols, explain how they work along with any known vulnerabilities, and how to secure the company from cyberattacks. Start with researching the commonly known streaming protocols and the vulnerabilities of those protocols. Some examples are the Real-Time Streaming Protocol (RTSP), Real-Time Transport Protocol (RTP), and the Real-Time Transport Control Protocol (RTCP).
A protocol is the set of rules followed during communications between two objects (Udiminue, 2007). Streaming means transmitting audio or video, or both, in a way that allows it to start being processed before it is downloaded in its entirety (McGath, 2013).
Streaming protocols provide the rules to be followed when streaming media is sent from one point on a network to another point on that network. Streaming protocols fall within the family of communication protocols and operate in the application layer of the International Organization for Standardization’s (ISO’s) Open Systems Interconnection (OSI) model (Ozer, 2012).
Streaming protocols often use the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) as their transport protocols. Many streaming protocols exist, including the Real-Time Streaming Protocol (RTSP), the Real-Time Transport Protocol (RTP), and the Real-Time Transport Control Protocol (RTCP). Each of these is described below (Letzgro, 2016):
• RTSP—an application-level protocol that establishes and monitors client/server sessions, controls the performance of the streaming servers, and enables the viewing of the media before it is completed downloaded. Users can also use familiar controls (e.g., play, pause, stop) to interact with the streaming process.
• RTP—enables audio and video streaming through IP networks, ensuring the consistency of the media data; most are based on UDP; RTP delivers the data.
• RTCP—works in conjunction with RTP and monitors the information about the transmission.
Letzgro. (2016, August 26). How to sort through the variety of streaming protocols [Blog post]. http://letzgro.net/blog/the-variety-of-streaming-protocols/
McGath, G. (2013). Basics of streaming protocols. http://www.garymcgath.com/streamingprotocols.html
Ozer, J. (2012, August 22). What is a streaming media protocol? http://www.streamingmedia.com/Articles/Editorial/What-Is-…/What-Is-a-Streaming-Media-Protocol-84496.aspx
Udiminue, D. (2007). Protocol. http://searchnetworking.techtarget.com/definition/protocol
Additionally, the leadership wants to know if any vulnerabilities identified would or could lead to a no-go on the M&A.
In other words:
• You need to identify the kind of streaming that such companies might be doing and the specific technology they would be using.
• What are the technical vulnerabilities associated with the protocols involved?
• Have those been mitigated? And to what extent (i.e., has the risk been reduced to zero, reduced somewhat, shifted to a third party, etc.)?
• What residual risk to the target company’s assets and IP remain?
• Would those risks extend to the current (takeover) company after the merger? Would that be bad enough to cancel the M&A?
• If the response to the last question is yes, then what should the target company do to further mitigate the risk? How should the takeover company mitigate the risk?
• What are the costs associated to the target company (implementing the appropriate mitigation)? If the takeover firm has to take additional measures, identify those costs as well.
After assessing and reviewing the streaming protocols, move to the next step, where you will assess the infrastructure of the merged network.
Step 3: Assess the Merged Network Infrastructure
You’ve just reviewed the streaming services of the companies, and now you will assess the infrastructure of the new network. The networks of the two companies could be configured differently, or they could use the same hardware and software, or completely different hardware and software.
You need to understand what tools the company is using, the benefits and shortcomings of those tools, and the gaps within the network. Explain in your security report what tactics, techniques, and procedures you would use to understand the network. You should identify firewalls, DMZ(s), other network systems, and the status of those devices.
When your assessment of the infrastructure is complete, move to the next step, where you will assess any existing policies for wireless and bring your own device (BYOD) within the companies.
Step 4: Review the Wireless and BYOD Policies
Within Project 2, you learned about and discussed wireless networks. An M&A provides an opportunity for both companies to review their wireless networks. Within your report, explain the media company’s current stance on wireless devices and BYOD. However, the company that is being acquired does not have a BYOD policy. Explain to the managers of the acquisition what needs to be done for the new company to meet the goals of the BYOD policy.
When the review of the wireless and BYOD policies is complete, move to the next step: developing a data protection plan.
Step 5: Develop a Data Protection Plan
You’ve completed the review of the wireless and BYOD policies. In this step, you will develop the recommendations portion of your report in which you will suggest additional mechanisms for data protection at different levels of the acquired company’s architecture.
Include the benefits of defense measures such as full disk encryption (BitLocker is an example) and platform identity keys as well as the required implementation activities. You also want to convey to your leadership the importance of system integrity and an overall trusted computing base, environment, and support. Describe what this would entail and include Trusted Platform Module (TPM) components and drivers. How are these mechanisms employed in an authentication and authorization system? Include this in the report and whether the merging company has this.
Full Disk Encryption
Full disk encryption protects all data stored on hard drives of computing devices, including mobile devices by encrypting all of the data stored on the devices. This type of encryption is critical if unauthorized users gain physical access to your equipment or if it is lost or stolen, as it will protect your data, rendering it inaccessible (Civilians Against Global Encroachment, 2017). BitLocker is an example of a full disk encryption feature available for Windows-based platforms.
Civilians Against Global Encroachment. (2017). Full-disk encryption. https://www.dontcageus.org/full-disk-encryption/
BitLocker is a Windows-based full disk encryption feature. Full disk encryption protects data if you leave the computing device unattended, and the data will remain secure and inaccessible if the computer is lost or stolen.
If the system is equipped with a Trusted Platform Module (TPM) microchip, BitLocker uses it to lock the keys that encrypt the data. These keys cannot be accessed unless the TPM has been able to verify the state of the computing device. The entire system volume, including the data, system registry operating system, temporary and hibernation files, are encrypted. As a result, if an unauthorized user attempts to remove the hard drive and install it in another device to access the data, he or she will be unsuccessful since the private key on the TPM located in the device on its motherboard is required to unlock the data.
Since the computer is booted, the TPM will only release the key to unlock the encrypted volume if the configuration values captured previously match those hashed. If there any inconsistencies found during this process, reflecting that the system integrity has been compromised, then the TPM will not release the key, and the data will be inaccessible (Koneti, 2010).
Koneti, E. (2010, May 12). BitLocker in Windows 7 [Blog post]. http://eskonr.com/2010/05/bitlocker-in-windows-7/
Platform Identity Keys
Platform identity keys, also known as attestation identity keys (AIKs), are components of a Trusted Platform Module (TPM) and are used to sign data from the TPM such as digital certificates and quotes.
A TPM can have multiple identities; the AIKs are the aliases that represent these identities. This allows the use of many keys that cannot be linked to each other with regard to any relationship between them across different providers that need to authenticate the TPM’s identity (Tomlinson, 2008)
Tomlinson, A. (2008). Introduction to the TPM. In K. Mayes & K. Markantonakis (Eds.), Smart Cards, Tokens, Security and Applications (pp. 155–172). Springer.
Trusted Computing Base
The National Institute of Standards and Technology (NIST) defines trusted computing base (TCB) as “the totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy” (Nieles et al., 2017). The TCB is enforced as a unified security policy for systems and products, and TCB’s effectiveness depends on its correct implementation by the administrators.
Nieles, M., Dempsey, K., & Yan Pillitteri, V. (2017). An introduction to information security (Special Publication 800-12, Revision 1). National Institute of Standards and Technology, US Department of Commerce. https://doi.org/10.6028/NIST.SP.800-12r1
Trusted Platform Module (TPM)
A Trusted Platform Module (TPM) is a hardware chip installed in most desktop and server-class systems. According to Nepal et al., (2011):
The TPM provides a hardware-based root of trust, and contains cryptographic functionality to generate, store, and manage cryptographic keys in hardware. One of the aims of the TPM is to provide a cost- effective way of “hardening” of many of today’s commonly deployed applications that previously relied solely upon software encryption algorithms with keys kept on a host’s disk. Another aim is for the TPM to provide proof of the integrity of platform through measurement of the platform’s operating environment (hardware, device drivers, operating system, and applications) and attestation of these against a well-known and carefully defined and maintained set of characteristics.
The TPM standard, defined by Trusted Computing Group (TCG), specifies several functions including key generation, cryptography, secure storage, and integrity measurement.
Nepal S., Zic J., Liu D., Jang J. (2011). A mobile and portable trusted computing platform. EURASIP Journal on Wireless Communications and Networking. http://jwcn.eurasipjournals.springeropen.com/articles/10.1186/1687-1499-2011-75
In the next step, you will assess any risks with the supply chain of the acquired company.
Step 6: Review Supply Chain Risk
The data protection plan is ready. In this step, you will take a look at risks to the supply chain. Acquiring a new company also means inheriting the risks associated with its supply chain and those firm’s systems and technologies. Include in your report the supply chain risks and list the security measures in place to mitigate those risks. Use the NIST Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, to explain the areas that need to be addressed.
Supply Chain Risks
A supply chain can be described as all of the personnel, businesses, resources, operations, and technology involved in the creation, sale, and distribution of an organization’s product to its customer base (Wigmore, n.d.).
Risk to these elements in the supply chain can come in many forms. Some possible risks include (Blanchard, 2009):
• the countries of residence of any partners, supplies, and distributors within the supply chain, as security threats in those locations can vary;
• shipment and delivery accuracy of resources in the supply chain;
• physical security of offices and personnel in various locations;
• internal processes and the security posture of those processes;
• quality problems or defects in products or processes in the supply chain;
• social and environmental factors related to the work environments; and
• use of social media platforms
Identifying strategies to reduce or mitigate these risk factors is a critical element of program management and the ultimate goal of a risk management process.
Blanchard, D. (2009, January 9). Top five supply chain risk factors. http://www.industryweek.com/environment/top-five-supply-chain-risk-factors
Johnson, C. (2014, May 21). Different types of risk in your supply chain, and how to avoid them. http://www.europeanbusinessreview.com/types-risk-supply-chain-avoid/
University of Tennessee. (2014). Managing risk in the global supply chain. http://globalsupplychaininstitute.utk.edu/publications/documents/Risk.pdf
Wigmore, I. (n.d.). Supply chain. http://whatis.techtarget.com/definition/supply-chain
After your supply chain review is complete, move to the next step, where you will create a vulnerability management program.
Step 7: Build a Vulnerability Management Program
Vulnerability Management Program
Securing information technology systems from cyberthreats has become a critical program management function. In order to ensure consistent protective measures are taken by all organizations, standards have been developed to regulate best practice compliance in these areas and are referred to as vulnerability management programs.
Once such regulation that mandates use of a vulnerability management program is the Payment Card Industry Data Security Standard (PCI DSS), which defines compliance guidelines for businesses performing credit card payment processing transactions. The goal of vulnerability management programs is to address security weaknesses that may result in system exploitation and unauthorized access of sensitive information (Shanks, 2015).
Vulnerability management requires the following activities:
• tracking of system assets/resources
• placing assets into categories
• scanning the assets to detect vulnerabilities
• ranking and prioritizing the risks
• managing software patches to overcome the vulnerability
• follow-up remediation to ensure the vulnerability has been rectified
These steps allow an organization to detect, eliminate, and control the inherent risk of vulnerabilities. Using specialized software and effective workflow as part of the vulnerability program helps to remove the detected risks.
Shanks, W. (2015). Building a vulnerability management program – a project management approach. https://www.sans.org/reading-room/whitepapers/projectmanagement/building-vulnerability-management-program-project-management-approach-35932
After your supply chain review, you conduct an interview with the company’s current cybersecurity team about vulnerability management. The team members explain to you that they never scanned or had the time to build a vulnerability management program. So, you need to build one. Use the NIST Guide to Enterprise Patch Management Technologies, Special Publication 800-40, to develop a program to meet the missing need.
Explain to the managers how to implement this change, why it is needed, and any costs involved.
The next step is a key one that should not be overlooked—the need to educate users from both companies of the changes being made.
Step 8: Educate Users
You’ve completed your vulnerability management program, but it’s important to educate all the users of the network about the changes. During the process of acquiring a company, policies, processes, and other aspects are often updated. So the last step in the process is to inform users in both the parent company and the acquired company of the changes. Within your report, explain to the acquisition managers the requirements for training the workforce.
When you’ve completed this step, move to the final section of this project, in which you will prepare and submit your final report.
Step 9: Prepare and Submit Your Report and Executive Summary
You’re ready now for the final step, in which you will compile and deliver the Cybersecurity System Security Report for a Successful Acquisition for the company leaders to enable them to understand the required cybersecurity strategy.
Again, keep in mind that companies undergoing an acquisition or merger are more prone to cyberattacks. The purpose of this paper is to analyze the security posture of both companies and to develop a plan to reduce the possibility of an attack.
The assignments for this project are as follows:
• Cybersecurity System Security Report for Successful Acquisition: Your report should be a minimum 13-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
• Executive summary: This is a one-page summary at the beginning of your report.
Submit both components to the assignment folder after reading the instructions below.
Check Your Evaluation Criteria
Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them. To view the complete grading rubric, click My Tools, select Assignments from the drop-down menu, and then click the project title.
• 2.1: Identify and clearly explain the issue, question, or problem under critical consideration.
• 5.9: Manages and administers integrated methods, enabling the organization to identify, capture, catalog, classify, retrieve, and share intellectual capital and information content. The methods may include utilizing processes and tools (e.g., databases, documents, policies, procedures) and expertise pertaining to the organization.
• 7.3: Knowledge of methods and tools used for risk management and mitigation of risk.
• 8.7: Provide theoretical basis and practical assistance for all aspects of digital investigation and the use of computer evidence in forensics and law enforcement.