CASP/Risk
Analyze the security risk implications associated with business decisions[edit | edit source]
Risk management of new products, new technologies and user behaviors[edit | edit source]
New or changing business models/strategies[edit | edit source]
Partnerships[edit | edit source]
Outsourcing[edit | edit source]
Mergers[edit | edit source]
Internal and external influences[edit | edit source]
Audit findings[edit | edit source]
Compliance[edit | edit source]
Client requirements[edit | edit source]
Top level management[edit | edit source]
Impact of de-perimiterization (e.g. constantly changing network boundary)[edit | edit source]
Considerations of enterprise standard operating environment (SOE) vs. allowing Bring Your Own Device(BYOD)[edit | edit source]
Execute and implement risk mitigation strategies and controls[edit | edit source]
Classify information types into levels of CIA – Confidentiality, Integrity, and Availability based on organization/industry[edit | edit source]
Determine aggregate score of CIA[edit | edit source]
"CVSS Implementation Guidance" (PDF). Retrieved 2014JUN26. {{cite web}}
: Check date values in: |accessdate=
(help)
"Common Weakness Scoring System (CWSS™)". Retrieved 2014JUN26. {{cite web}}
: Check date values in: |accessdate=
(help)
Determine minimum required security controls based on aggregate score[edit | edit source]
"Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations" (PDF). Retrieved 2014JUN30. {{cite web}}
: Check date values in: |accessdate=
(help)
Conduct system specific risk analysis[edit | edit source]
"Guide for Conducting Risk Assessments". Retrieved 2014JUN30. {{cite web}}
: Check date values in: |accessdate=
(help)
Make risk determination[edit | edit source]
"risk assessment". Retrieved 2014JUN30. {{cite web}}
: Check date values in: |accessdate=
(help)
Magnitude of impact[edit | edit source]
Likelihood of threat[edit | edit source]
"Factors for Estimating Likelihood". Retrieved 2014JUN30. {{cite web}}
: Check date values in: |accessdate=
(help)
Decide which security controls should be applied based on minimum requirements[edit | edit source]
Avoid[edit | edit source]
Transfer[edit | edit source]
Mitigate[edit | edit source]
Accept[edit | edit source]
Implement controls[edit | edit source]
"Critical Security Controls". Retrieved 2014JUL07. {{cite web}}
: Check date values in: |accessdate=
(help)
ESA- Enterprise Security Architecture frameworks[edit | edit source]
Continuous monitoring[edit | edit source]
Explain the importance of preparing for and supporting the incident response and recovery process[edit | edit source]
"Computer Security Incident Handling Guide" (PDF). Retrieved 2014JUL14. {{cite web}}
: Check date values in: |accessdate=
(help)
E-Discovery[edit | edit source]
Electronic inventory and asset control=[edit | edit source]
Data retention policies[edit | edit source]
Data recovery and storage[edit | edit source]
Data ownership[edit | edit source]
Data handling[edit | edit source]
Data breach[edit | edit source]
Recovery[edit | edit source]
Minimization[edit | edit source]
Mitigation and response[edit | edit source]
System design to facilitate incident response taking into account types of violations[edit | edit source]
Internal and external[edit | edit source]
Privacy policy violations[edit | edit source]
Criminal actions[edit | edit source]
Establish and review system event and security logs[edit | edit source]
Incident and emergency response[edit | edit source]
Implement security and privacy policies and procedures based on organizational requirements[edit | edit source]
Policy development and updates in light of new business, technology and environment changes[edit | edit source]
Process/procedure development and updated in light of policy, environment and business changes[edit | edit source]
Support legal compliance and advocacy by partnering with HR, legal, management and other entities[edit | edit source]
Use common business documents to support security[edit | edit source]
Interconnection Security Agreement (ISA)[edit | edit source]
Memorandum of Understanding (MOU)[edit | edit source]
Service Level Agreement (SLA)[edit | edit source]
Operating Level Agreement (OLA)[edit | edit source]
Non-Disclosure Agreement (NDA)[edit | edit source]
Business Partnership Agreement (BPA)[edit | edit source]
Use general privacy principles for PII – Personally Identifiable Information/ Sensitive PII