• CIA triad • non-repudiation • authentication, authorization and accounting (AAA) • gap analysis • zero trust o adaptive identity o threat scope reduction o policy-driven access control o policy administrator o policy engine o implicit trust zones o system o policy enforcement point o security control categories • deception and disruption technology physical security control category