Carry out information security risk assessment and management activities