0 b collect metrics for historic security spend 37

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ror in risk evaluation/classification or the necessity to tune the organization’s assurance program to address root causes for security cost more effectively. The tracking of security spend per project should be done quarterly at the assurance program strategy session, and the information should be reviewed and evaluated by stakeholders at least annually. Outliers and other unforeseen costs should be discussed for potential affect on assurance program roadmap. ✦✦Buildout or license industry intelligence on security programs ✦✦Program overhead from cost estimation, tracking, and evaluation Add’l Personnel ✦✦Architects (1 days/yr) ✦✦Managers (1 days/yr) ✦✦Business Owners (1 days/yr) ✦✦Security Auditor (1 days/yr) Related Levels ✦✦Vulnerability Management - 1 SAMM / The Security Practices - v1.0 B. Collect metrics for historic security spend 37 Policy & Compliance PC 1 PC 2 PC 3 Objective Understand relevant governance and compliance drivers to the organization Establish security and compliance baseline and understand per-project risks Require compliance and measure projects against organization-wide policies and standards Activities A. Identify and monitor external compliance drivers B. Build and maintain compliance guidelines A. Build policies and standards for security and compliance B. Establish project audit practice A. Create compliance gates for projects B. Adopt solution for audit data collection Assessment ✦✦Do most project stakeholders know their project’s compliance status? ✦✦Are compliance requirements specifically considered by project teams? ✦✦Does the organization utilize a set of policies and standards to control software development? ✦✦Are project teams able to request an audit for compliance with policies and standards? ✦✦Are projects periodically audited to ensure a baseline of compliance with policies and standards? ✦✦Does the organization systematically use audits to collect and control compliance evidence? ✦✦Increased assurance for handling third-party audit with positive outcome ✦✦Alignment of internal resources based on priority of compliance requirements ✦✦Timely discovery of evolving regulatory requirements that affect your organization ✦✦Awareness for project teams regarding expectations for both security and compliance ✦✦Business owners that better understand specific compliance risks in their product lines ✦✦Optimized approach for efficiently meeting compliance with opportunistic security improvement ✦✦Organization-level visibility of accepted risks due to non-compliance ✦✦Concrete assurance for compliance at the project level ✦✦Accurate tracking of past project compliance history ✦✦Efficient audit process leveraging tools to cut manual effort SAMM / The Security Practices - v1.0 Results 38 Policy & Compliance PC 1 Understand relevant governance and compliance drivers to the organization Activities A. Identify and monitor external co...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online