Analyze the security risk implications associated with business decisions
Risk management of new products, new technologies and user behaviors
New or changing business models/strategies
Partnerships
Outsourcing
Mergers
Internal and external influences
Audit findings
Compliance
Client requirements
Top level management
Impact of de-perimiterization (e.g. constantly changing network boundary)
Considerations of enterprise standard operating environment (SOE) vs. allowing Bring Your Own Device(BYOD)
Execute and implement risk mitigation strategies and controls
Classify information types into levels of CIA – Confidentiality, Integrity, and Availability based on organization/industry
Determine aggregate score of CIA
"CVSS Implementation Guidance". http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7946.pdf. Retrieved 2014JUN26. "Common Weakness Scoring System (CWSS™)". http://cwe.mitre.org/cwss. Retrieved 2014JUN26.
Determine minimum required security controls based on aggregate score
"Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations". http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf. Retrieved 2014JUN30.
Conduct system specific risk analysis
"Guide for Conducting Risk Assessments". http://www.nist.gov/customcf/get_pdf.cfm?pub_id=912091. Retrieved 2014JUN30.
Make risk determination
"risk assessment". http://www.ready.gov/risk-assessment. Retrieved 2014JUN30.
Magnitude of impact
Likelihood of threat
"Factors for Estimating Likelihood". https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#Step_2:_Factors_for_Estimating_Likelihood. Retrieved 2014JUN30.
Decide which security controls should be applied based on minimum requirements
Avoid
Transfer
Mitigate
Accept
Implement controls
"Critical Security Controls". http://www.sans.org/critical-security-controls. Retrieved 2014JUL07.
ESA- Enterprise Security Architecture frameworks
Continuous monitoring
Explain the importance of preparing for and supporting the incident response and recovery process
"Computer Security Incident Handling Guide". http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf. Retrieved 2014JUL14.
E-Discovery
Electronic inventory and asset control=
Data retention policies
Data recovery and storage
Data ownership
Data handling
Data breach
Recovery
Minimization
Mitigation and response
System design to facilitate incident response taking into account types of violations
Internal and external
Privacy policy violations
Criminal actions
Establish and review system event and security logs
Incident and emergency response
Implement security and privacy policies and procedures based on organizational requirements
Policy development and updates in light of new business, technology and environment changes
Process/procedure development and updated in light of policy, environment and business changes
Support legal compliance and advocacy by partnering with HR, legal, management and other entities
Use common business documents to support security
Interconnection Security Agreement (ISA)
Memorandum of Understanding (MOU)
Service Level Agreement (SLA)
Operating Level Agreement (OLA)
Non-Disclosure Agreement (NDA)
Business Partnership Agreement (BPA)
Use general privacy principles for PII – Personally Identifiable Information/ Sensitive PII