CSP build: Defense metric build through OASIS
- Defenses (may span more than 1 layout)
- Defense Sectors
- Installation and configuration
- maintenance and management
- policies and procedures
Base defense metric: CS5L standard defense metric
- NIST standard - Top level
- ISO27K standard - Maps to defenses
- Defense metric - Inherits above
add VAA metric: specific to VAA Value Added Auditor
add industry metric: industry - compliance metric
- Legal - client dependant
- Investors - client dependant
- Distribution - PCI
- Manufacturing - SCADA
- Retail outlets - PCI and HIPAA (if pharmacy)
- Internet companies
- Financial - PCI
- Insurance - PCI
- Healthcare - HIPAA
- Utility power - SCADA
- Telecommunications - PCI
Each industry inherits compliance metric
add client metric: risk and compliance specific added by VAA
Weighted: all metric builds are weighted by risk exposure
