31 the security practices an explanation of the

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: rability Management Environment Hardening Operational Enablement SAMM / Applying the Model - v1.0 For organizations under heavy regulations that affect business processes, the build-out of the Policy & Compliance Practice should be adjusted to accommodate external drivers. Likewise, organizations under a lighter compliance load should take the opportunity to push back build-out of that Practice in favor of others. 31 The Security Practices An explanation of the details This section defines the building blocks of SAMM, the Maturity Levels under each Security Practice. For each Practice, the three Levels are covered in a summary table. Following that, the description for each Level includes detailed explanations of the required activities, results an organization can expect from attaining the Level, success metrics to gauge performance, required ongoing personnel investment, and additional associated costs. Strategy & Metrics SM 1 SM 2 SM 3 Objective Establish unified strategic roadmap for software security within the organization Measure relative value of data and software assets and choose risk tolerance Align security expenditure with relevant business indicators and asset value Activities A. Estimate overall business risk profile B. Build and maintain assurance program roadmap A. Classify data and applications based on business risk B. Establish and measure perclassification security goals A. Conduct periodic industrywide cost comparisons B. Collect metrics for historic security spend ✦✦Is there a software security assurance program already in place? ✦✦Do most of the business stakeholders understand your organization’s risk profile? ✦✦Is most of your development staff aware of future plans for the assurance program? ✦✦Are most of your applications and resources categorized by risk? ✦✦Are risk ratings used to tailor the required assurance activities? ✦✦Does most of the organization know about what’s required based on risk ratings? ✦✦Is per-project data for cost of assurance activities collected? ✦✦Does your organization regularly compare your security spend with other organizations? ✦✦Concrete list of the most critical business-level risks caused by software ✦✦Tailored roadmap that addresses the security needs for your organization with minimal overhead ✦✦Organization-wide understanding of how the assurance program will grow over time ✦✦Customized assurance plans per project based on core value to the business ✦✦Organization-wide understanding of security-relevance of data and application assets ✦✦Better informed stakeholders with respect to understanding and accepting risks ✦✦Information to make informed case-by-case decisions on security expenditures ✦✦Estimates of past loss due to security issues ✦✦Per project consideration of security expense versus loss potential ✦✦Industry-wide due diligence with regard to security Assessment SAMM / The Security Practices - v1.0 Results 34 Strategy & Metrics SM 1 Establish u...
View Full Document

Ask a homework question - tutors are online