The company used intrusion detection systems, and top management received monthly reports on system security effectiveness. Corrective controls included the formation of a computer emergency response team and the development and practicing of an incident response plan.