Please enable JavaScript.
Coggle requires JavaScript to display documents.
CASP+ Policies and frameworks - Coggle Diagram
CASP+
Policies and frameworks
Policies
Separation of duties
high risk functions
should separate duty
example
i.e. backup role, restore role
missile control (2 key)
Job Rotation
prevent fraud & abuse
Mandatory Vacation
employee required to
take vacation at some point
in year
Least Privilege
need-to-know
assign user to group or role
Employment and Termination Procedures
Training and Awareness of Users
Security Awareness Training
reinforce importance of
their help in securing org valuable resources
based on
intended audiance
Security Training
teach skill to
perform job more secure way
(more procedure)
specialized based on
law, regulation, business
model
Security Education
less procedure
more general
for all network and all org
Auditing Requirements and their Frequency
what edit at what level
Frameworks
Policy
state role &
establish desired end-state
basic foundation:
standard, baseline,
guideline, procedure
standard
used to implement
policy
baseline
create as ref point
for compare
guideline
recommended
procedure
step-by-step instruction
level
organizational security policy
general direction goal
framework meet goal
define role, responsibilities, terms
system-specific policy
address need
specific technology,
app, network or system
issue-specific
address specific security
issue
category
regulatory policy
advisory policy
informative policy
Framework
SABSA
risk driven
6 layer
operational
component
physical
logical
conceptual
contextual
COBIT
(control obj for
info & related technology)
plan & organize
acquire & implement
deliver & support
monitor & evaluate
ITIL
34 practices (for agile & blend Devops & DevSecOps)
NIST 800-53
Regulation
HIPAA (health insurance portability & account act)
HCERA 2010 (Health create & education reconcilation act of 2010)
Sarbanes-Oxley act (SOX)
law account method & finance report
GLBA
(Gramm-Leach-Bliley act 1999)
prevent finance with 3rd
FISMA (Federal info security management act 2002)
FPA (Federal privacy act of 1974)
FERPA (family educational right & privacy act)
CFAA (computer fraud and abuse act 1986)
EEA (economic espionage)
COPPA (children online privacy)
PIPEDA (personal info & protection and electronic)
GDPR (General data protection regulation)
Standard
(best practice)
PCI DSS (credit)
ISO
CMMI
NIST
CSF
CC
(common criteria)
EAL (evaluation assurance level)
CSA STAR
(cloud computing)
Contracts & agreements
SLA
(service-level agreement)
OLA
(operational level
agreement)
NDA
(non-disclosure
agreement)
MOU
(Memorandum
of understanding)
Interoperability
agreement
reciprocal
agreements
ISA
(interconnection
security agreement)
BPA
(business partnership
agreement)
Privacy-level
agreement
Legal considerations
Due diligence
(measure)
Due care
(action)
Export control
regulartions
Legal hold
Electronic discovery
metadata
third-party Attestation
Integrating industries