Control Framework Sustainment and Security of Operations
The Complete Guide to Cybersecurity Risks and Controls by Anne Kohnke, Dan Shoemaker and Ken Sigler
1. Identify the impact of change on the assurance case.
2. Identify the violation, exposure, or vulnerability type—the threat is explicitly classified by type.
3. Identify the scope of the violation, exposure, or vulnerability—the extent or boundary of the threat is fully and explicitly itemized.
4. Provide a formal statement of the criticality of the violation, exposure, or vulnerability.
5. Document all feasible options for analysis.
6. Perform a comprehensive risk identification—identification of the type and extent of risk for each option.
7. Perform a detailed risk evaluation—assess the likelihood and feasibility of each identified risk for each option.
8. Estimate safety and security impacts if change is implemented—based on likelihood percentages and feasibility for each option.
9. Estimate the safety and security impacts if change is not implemented—based on the likelihood of occurrence of financial and operational impacts of each identified option.
10. Assess the impact of change on security and control architecture.
11. Perform control set understanding and design description exercise for all automated security and control features.
12. Estimate and assess the implications of change as they impact the policy and procedure infrastructure.
13. Estimate the impact of change on the business continuity/disaster recovery strategy.
14. Specify feasible recovery time, NRO, and recovery point impact estimates for each option.
15. Estimate the return on investment for each option, including total cost of ownership and marginal loss percentage.
16. Estimate the level of test and evaluation commitment necessary for verification and validation.
17. For each option, prepare a testing program—sample test cases and methods of administration.
18. Estimate the resource requirements, staff capability, and feasibility of administration of tests.
19. Estimate the financial impacts where appropriate for each option.
20. Estimate the feasibility and timelines for implementing each option.
21. Prepare a project plan for each option if detailed level of understanding required.