This preview shows page 1. Sign up to view the full content.
Unformatted text preview: nning efforts
with regard to building the assurance program. Communicate information about compliance
gaps with stakeholders to ensure awareness of the risk from non-compliance. 39 PC 2 Policy & Compliance Establish security and compliance baseline and understand per-project risks Results
✦✦Awareness for project teams
regarding expectations for both
security and compliance
✦✦Business owners that better
understand specific compliance
risks in their product lines
✦✦Optimized approach for efficiently
meeting compliance with opportunistic
security improvement Add’l Success Metrics
✦✦>75% of staff briefed on policies
and standards in past 6 months
✦✦>80% stakeholders aware of compliance
status against policies and standards Add’l Costs
✦✦Internal standards buildout or license
✦✦Per-project overhead from compliance
with internal standards and audit Add’l Personnel
✦✦Architects (1 days/yr)
✦✦Managers (1 days/yr)
✦✦Security Auditors (2 days/project/yr) SAMM / The Security Practices - v1.0 Related Levels 40 ✦✦Education & Guidance - 1 & 3
✦✦Strategy & Metrics - 2
✦✦Security Requirements - 1 & 3
✦✦Secure Architecture - 3
✦✦Code Review - 3
✦✦Design Review - 3
✦✦Environment Hardening - 3 Activities
A. Build policies and standards for security and compliance
Beginning with a current compliance guidelines, review regulatory standards and note any
optional or recommended security requirements. Also, the organization should conduct a
small amount of research to discover any potential future changes in compliance requirements that are relevant.
Augment the list with any additional requirements based on known business drivers for security. Often it is simplest to consult existing guidance being provided to development staff
and gather a set of best practices.
Group common/similar requirements and rewrite each group as more generalized/simplified
statements that meet all the compliance drivers as well as provide some additional security
value. Work through this process for each grouping with the goal of building a set of internal policies and standards that can be directly mapped back to compliance drivers and best
It is important for the set of policies and standards to not contain requirements that are
too difficult or excessively costly for project teams to comply. A useful heuristic is that approximately 80% of projects should be able to comply with minimal disruption. This requires
a good communications program being set up to advertise the new policies/standards and
assist teams with compliance if needed. B. Establish project audit practice
Create a simple audit process for project teams to request and receive an audit against internal standards. Audits are typically performed by security auditors but can also be conducted
by security-savvy staff as long as they are knowledgeable about the internal standards.
Based upon any known business risk indicators, projects can be prioritized concurrently with
audit queue triage such that high-risk software is assessed sooner or more frequently. Additionally, low-risk proje...
View Full Document
This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.
- Spring '14