Identification should include patch management, application updates, and OS hardening.