CASP/Risk

Analyze the security risk implications associated with business decisions

Risk management of new products, new technologies and user behaviors

New or changing business models/strategies

Partnerships

Outsourcing

Mergers

Internal and external influences

Audit findings

Compliance

Client requirements

Top level management

Impact of de-perimiterization (e.g. constantly changing network boundary)

Considerations of enterprise standard operating environment (SOE) vs. allowing Bring Your Own Device(BYOD)

Execute and implement risk mitigation strategies and controls

Classify information types into levels of CIA – Confidentiality, Integrity, and Availability based on organization/industry

Determine aggregate score of CIA

"CVSS Implementation Guidance" (PDF). Retrieved 2014JUN26. {{cite web}}: Check date values in: |accessdate= (help) "Common Weakness Scoring System (CWSS™)". Retrieved 2014JUN26. {{cite web}}: Check date values in: |accessdate= (help)

Determine minimum required security controls based on aggregate score

"Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations" (PDF). Retrieved 2014JUN30. {{cite web}}: Check date values in: |accessdate= (help)

Conduct system specific risk analysis

"Guide for Conducting Risk Assessments". Retrieved 2014JUN30. {{cite web}}: Check date values in: |accessdate= (help)

Make risk determination

"risk assessment". Retrieved 2014JUN30. {{cite web}}: Check date values in: |accessdate= (help)

Magnitude of impact

Likelihood of threat

"Factors for Estimating Likelihood". Retrieved 2014JUN30. {{cite web}}: Check date values in: |accessdate= (help)

Decide which security controls should be applied based on minimum requirements

Avoid

Transfer

Mitigate

Accept

Implement controls

"Critical Security Controls". Retrieved 2014JUL07. {{cite web}}: Check date values in: |accessdate= (help)

ESA- Enterprise Security Architecture frameworks

Continuous monitoring

Explain the importance of preparing for and supporting the incident response and recovery process

"Computer Security Incident Handling Guide" (PDF). Retrieved 2014JUL14. {{cite web}}: Check date values in: |accessdate= (help)

E-Discovery

Electronic inventory and asset control=

Data retention policies

Data recovery and storage

Data ownership

Data handling

Data breach

Recovery

Minimization

Mitigation and response

System design to facilitate incident response taking into account types of violations

Internal and external

Privacy policy violations

Criminal actions

Establish and review system event and security logs

Incident and emergency response

Implement security and privacy policies and procedures based on organizational requirements

Policy development and updates in light of new business, technology and environment changes

Process/procedure development and updated in light of policy, environment and business changes

Support legal compliance and advocacy by partnering with HR, legal, management and other entities

Use common business documents to support security

Interconnection Security Agreement (ISA)

Memorandum of Understanding (MOU)

Service Level Agreement (SLA)

Operating Level Agreement (OLA)

Non-Disclosure Agreement (NDA)

Business Partnership Agreement (BPA)

Use general privacy principles for PII – Personally Identifiable Information/ Sensitive PII

Support the development of policies that contain

Separation of duties

Job rotation

Mandatory vacation

Least privilege

Incident response

Forensic tasks

On-going security

Training and awareness for users

Auditing requirements and frequency

Retrieved from "https://en.wikibooks.org/w/index.php?title=CASP/Risk&oldid=4489399"