Monday, February 1, 2016

CS5L CMM standards and defense metric build



CSP build: Defense metric build through OASIS

  • Defenses (may span more than 1 layout)
  • Defense Sectors
    • Installation and configuration
    • maintenance and management
    • policies and procedures 



Base defense metric: CS5L standard defense metric

  • NIST standard - Top level 
  • ISO27K standard - Maps to defenses
  • Defense metric - Inherits above


add VAA metric: specific to VAA Value Added Auditor

add industry metric: industry - compliance metric

  • Legal - client dependant
  • Investors - client dependant
  • Distribution - PCI
  • Manufacturing - SCADA
  • Retail outlets - PCI and HIPAA (if pharmacy)
  • Internet companies
  • Financial - PCI
  • Insurance - PCI
  • Healthcare - HIPAA
  • Utility power - SCADA
  • Telecommunications - PCI

Each industry inherits compliance metric

add client metric: risk and compliance specific added by VAA

Weighted: all metric builds are weighted by risk exposure