A list of these assigned security points of contact

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: mation ✦✦Ongoing project overhead from security testing audit process ✦✦Organization overhead from project delays caused by failed security testing audits Add’l Personnel ✦✦Architects (1 day/yr) ✦✦Developers (1 day/yr) ✦✦Security Auditors (1-2 days/yr) ✦✦QA Testers (1-2 days/yr) ✦✦Business Owners (1 day/yr) ✦✦Managers (1 day/yr) Related Levels ✦✦Policy & Compliance - 2 ✦✦Secure Architecture - 3 SAMM / The Security Practices - v1.0 Activities 69 Vulnerability Management VM 1 VM 2 VM 3 Objective Understand high-level plan for responding to vulnerability reports or incidents Elaborate expectations for response process to improve consistency and communications Improve analysis and data gathering within response process for feedback into proactive planning Activities A. Identify point of contact for security issues B. Create informal security response team(s) A. Establish consistent incident response process B. Adopt a security issue disclosure process A. Conduct root cause analysis for incidents B. Collect per-incident metrics ✦✦Do most projects have a point of contact for security issues? ✦✦Does your organization have an assigned security response team? ✦✦Are most project teams aware of their security point(s) of contact and response team(s)? ✦✦Does the organization utilize a consistent process for incident reporting and handling? ✦✦Are most project stakeholders aware of relevant security disclosures related to their software projects? ✦✦Are most incidents inspected for root causes to generate further recommendations? ✦✦Do most projects consistently collect and report data and metrics related to incidents? ✦✦Lightweight process in place to handle high-priority vulnerabilities or incidents ✦✦Framework for stakeholder notification and reporting of events with security impact ✦✦High-level due diligence for handling security issues ✦✦Communications plan for dealing with vulnerability reports from third-parties ✦✦Clear process for releasing security patches to software operators ✦✦Formal process for tracking, handling, and internally communicating about incidents ✦✦Detailed feedback for organizational improvement after each incident ✦✦Rough cost estimation from vulnerabilities and compromises ✦✦Stakeholders better able to make tradeoff decisions based on historic incident trends Assessment SAMM / The Security Practices - v1.0 Results 70 Vulnerability Management VM 1 Understand high-level plan for responding to vulnerability reports or incidents A. Identify point of contact for security issues For each division within the organization or for each project team, establish a point of contact to serve as a communications hub for security information. While generally this responsibility will not claim much time from the individuals, the purpose of having a predetermined point of contact is to add structure and governance for vulnerability management. Examples of incidents that might cause the utilization include receipt of a vulnerability report from an external entity, compromise or other security failure of software in...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online