CASP/Risk

From Wikibooks, open books for an open world
Jump to navigation Jump to search

Analyze the security risk implications associated with business decisions[edit | edit source]

Risk management of new products, new technologies and user behaviors[edit | edit source]

New or changing business models/strategies[edit | edit source]

Partnerships[edit | edit source]

Outsourcing[edit | edit source]

Mergers[edit | edit source]

Internal and external influences[edit | edit source]

Audit findings[edit | edit source]

Compliance[edit | edit source]

Client requirements[edit | edit source]

Top level management[edit | edit source]

Impact of de-perimiterization (e.g. constantly changing network boundary)[edit | edit source]

Considerations of enterprise standard operating environment (SOE) vs. allowing Bring Your Own Device(BYOD)[edit | edit source]

Execute and implement risk mitigation strategies and controls[edit | edit source]

Classify information types into levels of CIA – Confidentiality, Integrity, and Availability based on organization/industry[edit | edit source]

Determine aggregate score of CIA[edit | edit source]

"CVSS Implementation Guidance" (PDF). Retrieved 2014JUN26. {{cite web}}: Check date values in: |accessdate= (help) "Common Weakness Scoring System (CWSS™)". Retrieved 2014JUN26. {{cite web}}: Check date values in: |accessdate= (help)

Determine minimum required security controls based on aggregate score[edit | edit source]

"Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations" (PDF). Retrieved 2014JUN30. {{cite web}}: Check date values in: |accessdate= (help)

Conduct system specific risk analysis[edit | edit source]

"Guide for Conducting Risk Assessments". Retrieved 2014JUN30. {{cite web}}: Check date values in: |accessdate= (help)

Make risk determination[edit | edit source]

"risk assessment". Retrieved 2014JUN30. {{cite web}}: Check date values in: |accessdate= (help)

Magnitude of impact[edit | edit source]

Likelihood of threat[edit | edit source]

"Factors for Estimating Likelihood". Retrieved 2014JUN30. {{cite web}}: Check date values in: |accessdate= (help)

Decide which security controls should be applied based on minimum requirements[edit | edit source]

Avoid[edit | edit source]

Transfer[edit | edit source]

Mitigate[edit | edit source]

Accept[edit | edit source]

Implement controls[edit | edit source]

"Critical Security Controls". Retrieved 2014JUL07. {{cite web}}: Check date values in: |accessdate= (help)

ESA- Enterprise Security Architecture frameworks[edit | edit source]

Continuous monitoring[edit | edit source]

Explain the importance of preparing for and supporting the incident response and recovery process[edit | edit source]

"Computer Security Incident Handling Guide" (PDF). Retrieved 2014JUL14. {{cite web}}: Check date values in: |accessdate= (help)

E-Discovery[edit | edit source]

Electronic inventory and asset control=[edit | edit source]

Data retention policies[edit | edit source]

Data recovery and storage[edit | edit source]

Data ownership[edit | edit source]

Data handling[edit | edit source]

Data breach[edit | edit source]

Recovery[edit | edit source]

Minimization[edit | edit source]

Mitigation and response[edit | edit source]

System design to facilitate incident response taking into account types of violations[edit | edit source]

Internal and external[edit | edit source]

Privacy policy violations[edit | edit source]

Criminal actions[edit | edit source]

Establish and review system event and security logs[edit | edit source]

Incident and emergency response[edit | edit source]

Implement security and privacy policies and procedures based on organizational requirements[edit | edit source]

Policy development and updates in light of new business, technology and environment changes[edit | edit source]

Process/procedure development and updated in light of policy, environment and business changes[edit | edit source]

Support legal compliance and advocacy by partnering with HR, legal, management and other entities[edit | edit source]

Use common business documents to support security[edit | edit source]

Interconnection Security Agreement (ISA)[edit | edit source]

Memorandum of Understanding (MOU)[edit | edit source]

Service Level Agreement (SLA)[edit | edit source]

Operating Level Agreement (OLA)[edit | edit source]

Non-Disclosure Agreement (NDA)[edit | edit source]

Business Partnership Agreement (BPA)[edit | edit source]

Use general privacy principles for PII – Personally Identifiable Information/ Sensitive PII

Support the development of policies that contain[edit | edit source]

Separation of duties[edit | edit source]

Job rotation[edit | edit source]

Mandatory vacation[edit | edit source]

Least privilege[edit | edit source]

Incident response[edit | edit source]

Forensic tasks[edit | edit source]

On-going security[edit | edit source]

Training and awareness for users[edit | edit source]

Auditing requirements and frequency[edit | edit source]