0 related levels 40 education guidance 1 3 strategy

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: nning efforts with regard to building the assurance program. Communicate information about compliance gaps with stakeholders to ensure awareness of the risk from non-compliance. 39 PC 2 Policy & Compliance Establish security and compliance baseline and understand per-project risks Results ✦✦Awareness for project teams regarding expectations for both security and compliance ✦✦Business owners that better understand specific compliance risks in their product lines ✦✦Optimized approach for efficiently meeting compliance with opportunistic security improvement Add’l Success Metrics ✦✦>75% of staff briefed on policies and standards in past 6 months ✦✦>80% stakeholders aware of compliance status against policies and standards Add’l Costs ✦✦Internal standards buildout or license ✦✦Per-project overhead from compliance with internal standards and audit Add’l Personnel ✦✦Architects (1 days/yr) ✦✦Managers (1 days/yr) ✦✦Security Auditors (2 days/project/yr) SAMM / The Security Practices - v1.0 Related Levels 40 ✦✦Education & Guidance - 1 & 3 ✦✦Strategy & Metrics - 2 ✦✦Security Requirements - 1 & 3 ✦✦Secure Architecture - 3 ✦✦Code Review - 3 ✦✦Design Review - 3 ✦✦Environment Hardening - 3 Activities A. Build policies and standards for security and compliance Beginning with a current compliance guidelines, review regulatory standards and note any optional or recommended security requirements. Also, the organization should conduct a small amount of research to discover any potential future changes in compliance requirements that are relevant. Augment the list with any additional requirements based on known business drivers for security. Often it is simplest to consult existing guidance being provided to development staff and gather a set of best practices. Group common/similar requirements and rewrite each group as more generalized/simplified statements that meet all the compliance drivers as well as provide some additional security value. Work through this process for each grouping with the goal of building a set of internal policies and standards that can be directly mapped back to compliance drivers and best practices. It is important for the set of policies and standards to not contain requirements that are too difficult or excessively costly for project teams to comply. A useful heuristic is that approximately 80% of projects should be able to comply with minimal disruption. This requires a good communications program being set up to advertise the new policies/standards and assist teams with compliance if needed. B. Establish project audit practice Create a simple audit process for project teams to request and receive an audit against internal standards. Audits are typically performed by security auditors but can also be conducted by security-savvy staff as long as they are knowledgeable about the internal standards. Based upon any known business risk indicators, projects can be prioritized concurrently with audit queue triage such that high-risk software is assessed sooner or more frequently. Additionally, low-risk proje...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online