CASP/Risk

Analyze the security risk implications associated with business decisionsEdit

Risk management of new products, new technologies and user behaviorsEdit

New or changing business models/strategiesEdit

PartnershipsEdit

OutsourcingEdit

MergersEdit

Internal and external influencesEdit

Audit findingsEdit

ComplianceEdit

Client requirementsEdit

Top level managementEdit

Impact of de-perimiterization (e.g. constantly changing network boundary)Edit

Considerations of enterprise standard operating environment (SOE) vs. allowing Bring Your Own Device(BYOD)Edit

Execute and implement risk mitigation strategies and controlsEdit

Classify information types into levels of CIA – Confidentiality, Integrity, and Availability based on organization/industryEdit

Determine aggregate score of CIAEdit

"CVSS Implementation Guidance". http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7946.pdf. Retrieved 2014JUN26.  "Common Weakness Scoring System (CWSS™)". http://cwe.mitre.org/cwss. Retrieved 2014JUN26. 

Determine minimum required security controls based on aggregate scoreEdit

"Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations". http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf. Retrieved 2014JUN30. 

Conduct system specific risk analysisEdit

"Guide for Conducting Risk Assessments". http://www.nist.gov/customcf/get_pdf.cfm?pub_id=912091. Retrieved 2014JUN30. 

Make risk determinationEdit

"risk assessment". http://www.ready.gov/risk-assessment. Retrieved 2014JUN30. 

Magnitude of impactEdit

Likelihood of threatEdit

"Factors for Estimating Likelihood". https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#Step_2:_Factors_for_Estimating_Likelihood. Retrieved 2014JUN30. 

Decide which security controls should be applied based on minimum requirementsEdit

AvoidEdit

TransferEdit

MitigateEdit

AcceptEdit

Implement controlsEdit

"Critical Security Controls". http://www.sans.org/critical-security-controls. Retrieved 2014JUL07. 

ESA- Enterprise Security Architecture frameworksEdit

Continuous monitoringEdit

Explain the importance of preparing for and supporting the incident response and recovery processEdit

"Computer Security Incident Handling Guide". http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf. Retrieved 2014JUL14. 

E-DiscoveryEdit

Electronic inventory and asset control=Edit

Data retention policiesEdit

Data recovery and storageEdit

Data ownershipEdit

Data handlingEdit

Data breachEdit

RecoveryEdit

MinimizationEdit

Mitigation and responseEdit

System design to facilitate incident response taking into account types of violationsEdit

Internal and externalEdit

Privacy policy violationsEdit

Criminal actionsEdit

Establish and review system event and security logsEdit

Incident and emergency responseEdit

Implement security and privacy policies and procedures based on organizational requirementsEdit

Policy development and updates in light of new business, technology and environment changesEdit

Process/procedure development and updated in light of policy, environment and business changesEdit

Support legal compliance and advocacy by partnering with HR, legal, management and other entitiesEdit

Use common business documents to support securityEdit

Interconnection Security Agreement (ISA)Edit

Memorandum of Understanding (MOU)Edit

Service Level Agreement (SLA)Edit

Operating Level Agreement (OLA)Edit

Non-Disclosure Agreement (NDA)Edit

Business Partnership Agreement (BPA)Edit

Use general privacy principles for PII – Personally Identifiable Information/ Sensitive PII

Support the development of policies that containEdit

Separation of dutiesEdit

Job rotationEdit

Mandatory vacationEdit

Least privilegeEdit

Incident responseEdit

Forensic tasksEdit

On-going securityEdit

Training and awareness for usersEdit

Auditing requirements and frequencyEdit