Fortunate. Work with the best engineers in the world. Respectfully then, please find below an expansion on the CAC Model, further illustrating with simple diagrams how this comes together.
Three common silo approaches to security taken together creates a much more comprehensive approach than by themselves. Context aside, "Though one may be overpowered, two can defend themselves. A cord of three strands is not quickly broken." (Eccl 4:12).
- Focus on products
- Focus on process and operations
- Focus on a GRC program
Each of these three is a complete feedback driven cycle with built-in compensation. Capacity or performance issues with your solution? Adjust accordingly. Compromised? Response includes After Action Reviews (AAR/PIR) to adjust what's provisioned, how it's configured, how you validate, how you monitor, and possibly even the response process itself. Audit issues, sensitive environment, or additional unexpected risk? Adjust your control set and implementation defined in your GRC program.
Build the Model
|
Technology Assets |
|
Secure Operations Processes |
|
Details of the PCVMR Cycle |
|
Controls Defined by GRC; Managed by Tools |
|
Completed Model |
|
Summary: Requirements; Processes; Work Loads |
|
Importance of Ecosystem and Configuration Elements |
Links to the original posts:
Solution Security
Compliance for the Masses - Simplified Models
Mission Operations - PCVMR Cycle
Workflow for Analyzing Security Context
Security and Auditing are Multidimensional. Not On...
Circling Back: Repeatable Processes
VMware vCloud Director Segmentation: PCI and HIPAA...
The Circle of Trust - Cloud Audit Assurance
Cloud Security and GRC: Internal Controls