CASP/Risk
Risk management of new products, new technologies and user behaviors
[edit | edit source]New or changing business models/strategies
[edit | edit source]Internal and external influences
[edit | edit source]Client requirements
[edit | edit source]Impact of de-perimiterization (e.g. constantly changing network boundary)
[edit | edit source]Considerations of enterprise standard operating environment (SOE) vs. allowing Bring Your Own Device(BYOD)
[edit | edit source]Execute and implement risk mitigation strategies and controls
[edit | edit source]Classify information types into levels of CIA – Confidentiality, Integrity, and Availability based on organization/industry
[edit | edit source]Determine aggregate score of CIA
[edit | edit source]"CVSS Implementation Guidance" (PDF). Retrieved 2014JUN26. {{cite web}}: Check date values in: |accessdate= (help)
"Common Weakness Scoring System (CWSS™)". Retrieved 2014JUN26. {{cite web}}: Check date values in: |accessdate= (help)
Determine minimum required security controls based on aggregate score
[edit | edit source]"Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations" (PDF). Retrieved 2014JUN30. {{cite web}}: Check date values in: |accessdate= (help)
Conduct system specific risk analysis
[edit | edit source]"Guide for Conducting Risk Assessments". Retrieved 2014JUN30. {{cite web}}: Check date values in: |accessdate= (help)
Make risk determination
[edit | edit source]"risk assessment". Retrieved 2014JUN30. {{cite web}}: Check date values in: |accessdate= (help)
Likelihood of threat
[edit | edit source]"Factors for Estimating Likelihood". Retrieved 2014JUN30. {{cite web}}: Check date values in: |accessdate= (help)
Decide which security controls should be applied based on minimum requirements
[edit | edit source]Avoid
[edit | edit source]"Critical Security Controls". Retrieved 2014JUL07. {{cite web}}: Check date values in: |accessdate= (help)
Explain the importance of preparing for and supporting the incident response and recovery process
[edit | edit source]"Computer Security Incident Handling Guide" (PDF). Retrieved 2014JUL14. {{cite web}}: Check date values in: |accessdate= (help)
E-Discovery
[edit | edit source]Electronic inventory and asset control=
[edit | edit source]Data retention policies
[edit | edit source]Data recovery and storage
[edit | edit source]Data ownership
[edit | edit source]Data handling
[edit | edit source]Data breach
[edit | edit source]Recovery
[edit | edit source]Minimization
[edit | edit source]Mitigation and response
[edit | edit source]System design to facilitate incident response taking into account types of violations
[edit | edit source]Internal and external
[edit | edit source]Privacy policy violations
[edit | edit source]Criminal actions
[edit | edit source]Establish and review system event and security logs
[edit | edit source]Incident and emergency response
[edit | edit source]Implement security and privacy policies and procedures based on organizational requirements
[edit | edit source]Policy development and updates in light of new business, technology and environment changes
[edit | edit source]Process/procedure development and updated in light of policy, environment and business changes
[edit | edit source]Support legal compliance and advocacy by partnering with HR, legal, management and other entities
[edit | edit source]Use common business documents to support security
[edit | edit source]Interconnection Security Agreement (ISA)
[edit | edit source]Memorandum of Understanding (MOU)
[edit | edit source]Service Level Agreement (SLA)
[edit | edit source]Operating Level Agreement (OLA)
[edit | edit source]Non-Disclosure Agreement (NDA)
[edit | edit source]Business Partnership Agreement (BPA)
[edit | edit source]Use general privacy principles for PII – Personally Identifiable Information/ Sensitive PII