CASP/Risk

From Wikibooks, open books for an open world

Jump to navigation Jump to search

Analyze the security risk implications associated with business decisions[edit | edit source]

Risk management of new products, new technologies and user behaviors[edit | edit source]

New or changing business models/strategies[edit | edit source]

Partnerships[edit | edit source]

Outsourcing[edit | edit source]

Mergers[edit | edit source]

Internal and external influences[edit | edit source]

Audit findings[edit | edit source]

Compliance[edit | edit source]

Client requirements[edit | edit source]

Top level management[edit | edit source]

Impact of de-perimiterization (e.g. constantly changing network boundary)[edit | edit source]

Considerations of enterprise standard operating environment (SOE) vs. allowing Bring Your Own Device(BYOD)[edit | edit source]

Execute and implement risk mitigation strategies and controls[edit | edit source]

Classify information types into levels of CIA – Confidentiality, Integrity, and Availability based on organization/industry[edit | edit source]

Determine aggregate score of CIA[edit | edit source]

"CVSS Implementation Guidance". http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7946.pdf. Retrieved 2014JUN26. "Common Weakness Scoring System (CWSS™)". http://cwe.mitre.org/cwss. Retrieved 2014JUN26.

Determine minimum required security controls based on aggregate score[edit | edit source]

"Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations". http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf. Retrieved 2014JUN30.

Conduct system specific risk analysis[edit | edit source]

"Guide for Conducting Risk Assessments". http://www.nist.gov/customcf/get_pdf.cfm?pub_id=912091. Retrieved 2014JUN30.

Make risk determination[edit | edit source]

"risk assessment". http://www.ready.gov/risk-assessment. Retrieved 2014JUN30.

Magnitude of impact[edit | edit source]

Likelihood of threat[edit | edit source]

"Factors for Estimating Likelihood". https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#Step_2:_Factors_for_Estimating_Likelihood. Retrieved 2014JUN30.

Decide which security controls should be applied based on minimum requirements[edit | edit source]

Avoid[edit | edit source]

Transfer[edit | edit source]

Mitigate[edit | edit source]

Accept[edit | edit source]

Implement controls[edit | edit source]

"Critical Security Controls". http://www.sans.org/critical-security-controls. Retrieved 2014JUL07.

ESA- Enterprise Security Architecture frameworks[edit | edit source]

Continuous monitoring[edit | edit source]

Explain the importance of preparing for and supporting the incident response and recovery process[edit | edit source]

"Computer Security Incident Handling Guide". http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf. Retrieved 2014JUL14.

E-Discovery[edit | edit source]

Electronic inventory and asset control=[edit | edit source]

Data retention policies[edit | edit source]

Data recovery and storage[edit | edit source]

Data ownership[edit | edit source]

Data handling[edit | edit source]

Data breach[edit | edit source]

Recovery[edit | edit source]

Minimization[edit | edit source]

Mitigation and response[edit | edit source]

System design to facilitate incident response taking into account types of violations[edit | edit source]

Internal and external[edit | edit source]

Privacy policy violations[edit | edit source]

Criminal actions[edit | edit source]

Establish and review system event and security logs[edit | edit source]

Incident and emergency response[edit | edit source]

Implement security and privacy policies and procedures based on organizational requirements[edit | edit source]

Policy development and updates in light of new business, technology and environment changes[edit | edit source]

Process/procedure development and updated in light of policy, environment and business changes[edit | edit source]

Support legal compliance and advocacy by partnering with HR, legal, management and other entities[edit | edit source]

Use common business documents to support security[edit | edit source]

Interconnection Security Agreement (ISA)[edit | edit source]

Memorandum of Understanding (MOU)[edit | edit source]

Service Level Agreement (SLA)[edit | edit source]

Operating Level Agreement (OLA)[edit | edit source]

Non-Disclosure Agreement (NDA)[edit | edit source]

Business Partnership Agreement (BPA)[edit | edit source]

Use general privacy principles for PII – Personally Identifiable Information/ Sensitive PII

Support the development of policies that contain[edit | edit source]

Separation of duties[edit | edit source]

Job rotation[edit | edit source]

Mandatory vacation[edit | edit source]

Least privilege[edit | edit source]

Incident response[edit | edit source]

Forensic tasks[edit | edit source]

On-going security[edit | edit source]

Training and awareness for users[edit | edit source]

Auditing requirements and frequency[edit | edit source]

Retrieved from "https://en.wikibooks.org/w/index.php?title=CASP/Risk&oldid=2681158"

Book:CASP