CAC Model 2.0

Fortunate. Work with the best engineers in the world. Respectfully then, please find below an expansion on the CAC Model, further illustrating with simple diagrams how this comes together.

Three common silo approaches to security taken together creates a much more comprehensive approach than by themselves. Context aside, "Though one may be overpowered, two can defend themselves. A cord of three strands is not quickly broken." (Eccl 4:12). 
  • Focus on products
  • Focus on process and operations
  • Focus on a GRC program
Each of these three is a complete feedback driven cycle with built-in compensation. Capacity or performance issues with your solution? Adjust accordingly. Compromised? Response includes After Action Reviews (AAR/PIR) to adjust what's provisioned, how it's configured, how you validate, how you monitor, and possibly even the response process itself. Audit issues, sensitive environment, or additional unexpected risk? Adjust your control set and implementation defined in your GRC program. 

Build the Model
Technology Assets

Secure Operations Processes

Details of the PCVMR Cycle
Controls Defined by GRC; Managed by Tools

Completed Model

Summary: Requirements; Processes; Work Loads

Importance of Ecosystem and Configuration Elements
Links to the original posts
Solution Security
Compliance for the Masses - Simplified Models
Mission Operations - PCVMR Cycle
Workflow for Analyzing Security Context
Security and Auditing are Multidimensional. Not On...
Circling Back: Repeatable Processes
VMware vCloud Director Segmentation: PCI and HIPAA...
The Circle of Trust - Cloud Audit Assurance
Cloud Security and GRC: Internal Controls