You have been hired by CyberBlast Crispy Company as an Information Security Risk Officer to assess the security

$-$related aspects of its existing system and offer recommendations for enhancing security and reliability. One of your key duties is to guarantee the confidentiality, integrity, and availability $($CIA$)$of data and associated services. You have conducted security assessments on various applications, systems, policies, procedures, and devices and have observed the following:

$1-$ Several employees have been observed writing their login credentials on stickers and secretly pasting them under their keyboards, believing it provides a convenient way to remember their passwords. Even more alarmingly, a number of employees have resorted to using their colleagues' login credentials, either with or without their knowledge. The company has deployed high$-$resolution CCTV cameras that closely monitor employees' workstations. Furthermore, the absence of paper shredders within employees' offices has become a topic of concern, but you find scissors for cutting paper.

$2-$ During your investigation, you come across a Microsoft Word document named 'PASS' on the IT administrator's workstation, protected using a weak password. You guessed it easily when you tried manual brute force, and you found it was $"1234".$ Upon opening it$,$ you uncover a comprehensive list of essential usernames and passwords for various systems, servers, databases, and the firewall. What's more, this workstation is connected to the internet. A review of the workstation's firewall policy reveals significant misconfigurations, with all policies disabled and unrestricted access permitted. Moreover, you observe an absence of intrusion prevention system $($IPS$),$ anti$-$malware, and web filtering policies.

$3-$ The CyberBlast Crispy company has policy issues, such as inadequate password policy in terms of length, complexity, and hashing for the database, the absence of clear data handling policies, no physical security policies, an incident response plan that is missing, a lack of training and policies to recognize and respond to social engineering attacks, the absence of access control policies, and the overall lack of clear policies and practices. This situation makes it challenging to ensure compliance with industry$-$specific regulations, such as GDPR$.$

The question: $($Given the scenario above, list the controls$/$ countermeasures initially used by the CyberBlast Crispy Company to protect their assets considering their CIA principles in mind.$)$