CASP/Risk
Analyze the security risk implications associated with business decisions edit
Risk management of new products, new technologies and user behaviors edit
New or changing business models/strategies edit
Partnerships edit
Outsourcing edit
Mergers edit
Internal and external influences edit
Audit findings edit
Compliance edit
Client requirements edit
Top level management edit
Impact of de-perimiterization (e.g. constantly changing network boundary) edit
Considerations of enterprise standard operating environment (SOE) vs. allowing Bring Your Own Device(BYOD) edit
Execute and implement risk mitigation strategies and controls edit
Classify information types into levels of CIA – Confidentiality, Integrity, and Availability based on organization/industry edit
Determine aggregate score of CIA edit
"CVSS Implementation Guidance" (PDF). Retrieved 2014JUN26. {{cite web}}
: Check date values in: |accessdate=
(help)
"Common Weakness Scoring System (CWSS™)". Retrieved 2014JUN26. {{cite web}}
: Check date values in: |accessdate=
(help)
Determine minimum required security controls based on aggregate score edit
"Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations" (PDF). Retrieved 2014JUN30. {{cite web}}
: Check date values in: |accessdate=
(help)
Conduct system specific risk analysis edit
"Guide for Conducting Risk Assessments". Retrieved 2014JUN30. {{cite web}}
: Check date values in: |accessdate=
(help)
Make risk determination edit
"risk assessment". Retrieved 2014JUN30. {{cite web}}
: Check date values in: |accessdate=
(help)
Magnitude of impact edit
Likelihood of threat edit
"Factors for Estimating Likelihood". Retrieved 2014JUN30. {{cite web}}
: Check date values in: |accessdate=
(help)
Decide which security controls should be applied based on minimum requirements edit
Avoid edit
Transfer edit
Mitigate edit
Accept edit
Implement controls edit
"Critical Security Controls". Retrieved 2014JUL07. {{cite web}}
: Check date values in: |accessdate=
(help)
ESA- Enterprise Security Architecture frameworks edit
Continuous monitoring edit
Explain the importance of preparing for and supporting the incident response and recovery process edit
"Computer Security Incident Handling Guide" (PDF). Retrieved 2014JUL14. {{cite web}}
: Check date values in: |accessdate=
(help)
E-Discovery edit
Electronic inventory and asset control= edit
Data retention policies edit
Data recovery and storage edit
Data ownership edit
Data handling edit
Data breach edit
Recovery edit
Minimization edit
Mitigation and response edit
System design to facilitate incident response taking into account types of violations edit
Internal and external edit
Privacy policy violations edit
Criminal actions edit
Establish and review system event and security logs edit
Incident and emergency response edit
Implement security and privacy policies and procedures based on organizational requirements edit
Policy development and updates in light of new business, technology and environment changes edit
Process/procedure development and updated in light of policy, environment and business changes edit
Support legal compliance and advocacy by partnering with HR, legal, management and other entities edit
Use common business documents to support security edit
Interconnection Security Agreement (ISA) edit
Memorandum of Understanding (MOU) edit
Service Level Agreement (SLA) edit
Operating Level Agreement (OLA) edit
Non-Disclosure Agreement (NDA) edit
Business Partnership Agreement (BPA) edit
Use general privacy principles for PII – Personally Identifiable Information/ Sensitive PII