CASP/Risk
Analyze the security risk implications associated with business decisionsEdit
Risk management of new products, new technologies and user behaviorsEdit
New or changing business models/strategiesEdit
PartnershipsEdit
OutsourcingEdit
MergersEdit
Internal and external influencesEdit
Audit findingsEdit
ComplianceEdit
Client requirementsEdit
Top level managementEdit
Impact of de-perimiterization (e.g. constantly changing network boundary)Edit
Considerations of enterprise standard operating environment (SOE) vs. allowing Bring Your Own Device(BYOD)Edit
Execute and implement risk mitigation strategies and controlsEdit
Classify information types into levels of CIA – Confidentiality, Integrity, and Availability based on organization/industryEdit
Determine aggregate score of CIAEdit
"CVSS Implementation Guidance" (PDF). Retrieved 2014JUN26. {{cite web}}
: Check date values in: |accessdate=
(help)
"Common Weakness Scoring System (CWSS™)". Retrieved 2014JUN26. {{cite web}}
: Check date values in: |accessdate=
(help)
Determine minimum required security controls based on aggregate scoreEdit
"Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations" (PDF). Retrieved 2014JUN30. {{cite web}}
: Check date values in: |accessdate=
(help)
Conduct system specific risk analysisEdit
"Guide for Conducting Risk Assessments". Retrieved 2014JUN30. {{cite web}}
: Check date values in: |accessdate=
(help)
Make risk determinationEdit
"risk assessment". Retrieved 2014JUN30. {{cite web}}
: Check date values in: |accessdate=
(help)
Magnitude of impactEdit
Likelihood of threatEdit
"Factors for Estimating Likelihood". Retrieved 2014JUN30. {{cite web}}
: Check date values in: |accessdate=
(help)
Decide which security controls should be applied based on minimum requirementsEdit
AvoidEdit
TransferEdit
MitigateEdit
AcceptEdit
Implement controlsEdit
"Critical Security Controls". Retrieved 2014JUL07. {{cite web}}
: Check date values in: |accessdate=
(help)
ESA- Enterprise Security Architecture frameworksEdit
Continuous monitoringEdit
Explain the importance of preparing for and supporting the incident response and recovery processEdit
"Computer Security Incident Handling Guide" (PDF). Retrieved 2014JUL14. {{cite web}}
: Check date values in: |accessdate=
(help)
E-DiscoveryEdit
Electronic inventory and asset control=Edit
Data retention policiesEdit
Data recovery and storageEdit
Data ownershipEdit
Data handlingEdit
Data breachEdit
RecoveryEdit
MinimizationEdit
Mitigation and responseEdit
System design to facilitate incident response taking into account types of violationsEdit
Internal and externalEdit
Privacy policy violationsEdit
Criminal actionsEdit
Establish and review system event and security logsEdit
Incident and emergency responseEdit
Implement security and privacy policies and procedures based on organizational requirementsEdit
Policy development and updates in light of new business, technology and environment changesEdit
Process/procedure development and updated in light of policy, environment and business changesEdit
Support legal compliance and advocacy by partnering with HR, legal, management and other entitiesEdit
Use common business documents to support securityEdit
Interconnection Security Agreement (ISA)Edit
Memorandum of Understanding (MOU)Edit
Service Level Agreement (SLA)Edit
Operating Level Agreement (OLA)Edit
Non-Disclosure Agreement (NDA)Edit
Business Partnership Agreement (BPA)Edit
Use general privacy principles for PII – Personally Identifiable Information/ Sensitive PII